1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active VirusRemover 2008 has ruined my computer- what to do?

Discussion in 'Malware and Virus Removal Archive' started by Tharps, 2008/12/16.

  1. 2008/12/16
    Tharps

    Tharps Inactive Thread Starter

    Joined:
    2008/12/16
    Messages:
    2
    Likes Received:
    0
    [Active] VirusRemover 2008 has ruined my computer- what to do?

    Hello my name is Thomas,

    The other day I was downloading a TrendMicro free antivirus program and a popup came up that said, " would you like to install virusremover 2008? I thought that this was affiliated with the program I had just downloaded, but it turns out that it is a virus/trojan. I looked on some other websites and found that downloading Spybot or Malwarebytes would fix the problem. I downloaded both of those files but when I would click on the program to run it, it would not start. It seems the trojan is blocking these programs from executing. Among my other symptoms are hijacked google, disabled registry, no folder options, random popups etc etc... I am also not able to use the Panda Scanner or the KasperSky scanner, because it says the links are broken/don't have the rights to use (obviously the work of the Trojan). I was able to use the Hijack program however. Here are the results:
    ----

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:28:30 PM, on 12/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\DOCUME~1\REGISR~1\LOCALS~1\Temp\winloggn.exe
    C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Regis Radio\Application Data\gadcom\gadcom.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\TEMP\BN11.tmp
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\REGISR~1\LOCALS~1\Temp\csrssc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070501
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070501
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe "
    O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [xsgds4fgffght] C:\DOCUME~1\REGISR~1\LOCALS~1\Temp\winloggn.exe
    O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Regis Radio\Desktop\RRT(2)\RRT.exe auto
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [xsgds4fgffght] C:\DOCUME~1\REGISR~1\LOCALS~1\Temp\winloggn.exe
    O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\REGISR~1\LOCALS~1\Temp\csrssc.exe
    O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Regis Radio\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
    O4 - Startup: VZAccess Manager.lnk = C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,cunyun.dll rnvdtx.dll
    O22 - SharedTaskScheduler: KJhaiufhw3nrih7wefywjfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rsekd83jde.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
    O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
    O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 7693 bytes
    ----------------------------------------

    What should I do from here? My IT guy at my school says it's best to do a total system wipeout/restore deal, but I am hesitant, because it seems like this problem could be simply fixed. Thanks for the help in advance for this 'rookie' and I look forward to solving this problem.

    1st post= complete lol

    Thanks again,

    Thomas
     
    Tharps,
    #1
  2. 2008/12/17
    Tharps

    Tharps Inactive Thread Starter

    Joined:
    2008/12/16
    Messages:
    2
    Likes Received:
    0
    I think I fixed it!!! Using a USB flashdrive I installed combofix and I did the process and now it doesn't seem like there's a virus anymore!!!! Can anybody okay this?

    Here's the healthy scan-

    ComboFix 08-12-16.03 - Regis Radio 2008-12-16 23:06:46.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1709 [GMT -7:00]
    Running from: c:\documents and settings\Regis Radio\Desktop\badass.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\Regis Radio\Application Data\gadcom
    c:\documents and settings\Regis Radio\Application Data\gadcom\gadcom.exe
    c:\documents and settings\Regis Radio\Local Settings\Temporary Internet Files\fbk.sts
    c:\windows\system32\cunyun.dll
    c:\windows\system32\drivers\TDSSmqlt.sys
    c:\windows\system32\drivers\Wintb20.sys
    c:\windows\system32\fCrrpOHX.dll
    c:\windows\system32\jwjaydyt.ini
    c:\windows\system32\kHaywuSj.dll
    c:\windows\system32\lxtejekw.dll
    c:\windows\system32\prunnet.exe
    c:\windows\system32\pruuvyay.ini
    c:\windows\system32\pruuvyay.ini2
    c:\windows\system32\rnvdtx.dll
    c:\windows\system32\rsekd83jde.dll
    c:\windows\system32\TDSShrxx.dll
    c:\windows\system32\TDSSkhyp.log
    c:\windows\system32\TDSSkkai.log
    c:\windows\system32\TDSSlxwp.dll
    c:\windows\system32\TDSSmtvd.dat
    c:\windows\system32\TDSSnmxh.log
    c:\windows\system32\TDSSoiqt.dll
    c:\windows\system32\TDSSsahc.dll
    c:\windows\system32\TDSSvkql.dll
    c:\windows\system32\TDSSxfum.dll
    c:\windows\system32\tydyajwj.dll
    c:\windows\system32\vtUlLDss.dll
    c:\windows\system32\wckvarty.dll
    c:\windows\system32\WinCtrl32.dl_
    c:\windows\system32\WinCtrl32.dll
    c:\windows\system32\wyipxwes.ini
    c:\windows\system32\yayvuurp.dll
    c:\windows\Tasks\flrijelo.job

    ----- BITS: Possible infected sites -----

    hxxp://www.nfl.com
    hxxp://static.nfl.com
    hxxp://childhe.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_TDSSSERV.SYS
    -------\Legacy_TDSSSERV.SYS
    -------\Legacy_WINTB20
    -------\Service_Wintb20


    ((((((((((((((((((((((((( Files Created from 2008-11-17 to 2008-12-17 )))))))))))))))))))))))))))))))
    .

    2008-12-16 22:32 . 2008-03-03 12:49 369,165 --ahs---- c:\windows\system32\_MsInfo.msi
    2008-12-16 22:30 . 2008-03-03 12:49 369,165 -r-h----- C:\MsInfo.msi
    2008-12-16 21:07 . 2008-12-16 21:07 <DIR> d-------- c:\program files\Trend Micro
    2008-12-16 17:30 . 2008-12-16 21:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-12-16 17:30 . 2008-12-16 21:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-12-16 16:16 . 2008-12-16 16:16 <DIR> d-------- c:\documents and settings\Regis Radio\Application Data\Sonic
    2008-12-16 16:04 . 2008-12-16 16:04 <DIR> d-------- c:\documents and settings\Regis Radio\Application Data\Leadertech
    2008-12-16 14:26 . 2008-12-01 13:55 812,344 --a------ C:\HJTInstall.exe
    2008-12-16 14:15 . 2008-12-16 14:15 70,144 --a------ c:\windows\system32\yaywvspp.dll
    2008-12-16 14:14 . 2007-05-01 16:37 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
    2008-12-16 14:14 . 2008-12-16 17:00 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-16 12:06 . 2008-12-16 12:06 0 --a------ c:\windows\vpc32.INI
    2008-12-16 11:58 . 2008-12-16 17:22 <DIR> d-------- c:\program files\Symantec
    2008-12-16 11:58 . 2008-12-16 17:22 <DIR> d-------- c:\program files\Common Files\Symantec Shared
    2008-12-16 11:58 . 2008-12-16 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
    2008-12-15 22:22 . 2008-12-15 22:22 16,244 --a------ c:\windows\system32\rrt_is.wav
    2008-12-15 22:22 . 2008-12-15 22:22 7,302 --a------ c:\windows\system32\rrt_vf.wav
    2008-12-15 22:22 . 2008-12-15 22:22 7,148 --a------ c:\windows\system32\rrt_tv.wav
    2008-12-15 22:22 . 2008-12-15 22:22 6,282 --a------ c:\windows\system32\rrt_tn.wav
    2008-12-15 19:11 . 2008-12-16 12:02 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-12-15 18:57 . 2004-08-04 03:00 95,744 --a------ c:\windows\system32\bat.dll
    2008-12-15 18:56 . 2008-12-16 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
    2008-12-15 17:46 . 2008-12-15 19:29 <DIR> d-------- c:\program files\Enigma Software Group
    2008-12-15 17:15 . 2008-12-15 17:07 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
    2008-12-15 17:05 . 2008-12-15 17:05 70,144 --a------ c:\windows\system32\hgggDuSL.dll
    2008-12-14 17:14 . 2008-12-14 17:14 <DIR> d-------- c:\program files\Microsoft Works
    2008-12-14 17:13 . 2008-12-14 17:13 <DIR> d-------- c:\program files\Microsoft.NET
    2008-12-14 17:10 . 2008-12-14 18:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
    2008-12-14 17:09 . 2008-12-14 17:09 <DIR> dr-h----- C:\MSOCache
    2008-12-14 15:06 . 2008-12-14 15:06 <DIR> d-------- c:\program files\RADVideo
    2008-12-14 11:22 . 2008-12-14 11:22 <DIR> d-------- c:\documents and settings\Regis Radio\outlook express contact
    2008-12-13 19:31 . 2008-12-13 19:31 23,832 --a------ c:\documents and settings\Regis Radio\Application Data\GDIPFONTCACHEV1.DAT
    2008-12-13 19:17 . 2008-12-13 19:17 <DIR> d-------- c:\windows\Sun
    2008-12-13 17:07 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
    2008-12-13 17:07 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
    2008-12-13 16:55 . 2008-12-13 16:55 <DIR> d-------- c:\program files\Microsoft ActiveSync
    2008-12-13 16:55 . 2008-12-13 16:55 376 --a------ c:\windows\ODBC.INI
    2008-12-13 16:53 . 2008-12-14 17:24 <DIR> d-------- c:\windows\ShellNew
    2008-12-13 16:53 . 2008-12-13 16:53 <DIR> d-------- c:\program files\Common Files\L&H
    2008-12-06 13:59 . 2008-12-06 13:59 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
    2008-12-06 13:59 . 2008-12-16 16:15 <DIR> d-------- c:\documents and settings\Regis Radio\Application Data\Audacity
    2008-12-06 13:39 . 2008-12-06 13:39 <DIR> d-------- c:\documents and settings\Regis Radio\Application Data\Apple Computer
    2008-12-06 13:39 . 2008-04-17 13:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
    2008-12-06 13:39 . 2008-04-17 13:12 15,464 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
    2008-12-06 13:38 . 2008-12-06 13:38 <DIR> d-------- c:\program files\QuickTime
    2008-12-06 13:38 . 2008-12-06 13:39 <DIR> d-------- c:\program files\iTunes
    2008-12-06 13:38 . 2008-12-06 13:38 <DIR> d-------- c:\program files\iPod
    2008-12-06 13:38 . 2008-12-06 13:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
    2008-12-06 13:38 . 2008-12-06 13:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-12-06 13:37 . 2008-12-06 13:38 <DIR> d-------- c:\program files\Common Files\Apple
    2008-12-06 13:37 . 2008-12-06 13:37 <DIR> d-------- c:\program files\Apple Software Update
    2008-12-06 13:37 . 2008-12-06 13:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
    2008-12-06 13:37 . 2008-11-07 14:23 32,000 --a------ c:\windows\system32\drivers\usbaapl.sys
    2008-12-01 20:54 . 2008-12-01 20:54 <DIR> d-------- c:\documents and settings\Regis Radio\Application Data\Smith Micro
    2008-12-01 20:49 . 2008-12-01 20:49 <DIR> d-------- c:\program files\PANTECH
    2008-12-01 20:49 . 2006-11-01 15:21 319,456 --a------ c:\windows\system32\DIFxAPI.dll
    2008-12-01 20:49 . 2008-05-16 21:46 77,824 --a------ c:\windows\system32\PTDUwmcp.dll
    2008-12-01 20:49 . 2008-03-11 15:58 59,776 --a------ c:\windows\system32\drivers\PTDUWWAN.sys
    2008-12-01 20:49 . 2008-03-11 15:58 41,344 --a------ c:\windows\system32\drivers\PTDUMdm.sys
    2008-12-01 20:49 . 2008-03-11 15:58 39,936 --a------ c:\windows\system32\drivers\PTDUVsp.sys
    2008-12-01 20:49 . 2008-03-11 15:58 29,824 --a------ c:\windows\system32\drivers\PTDUBus.sys
    2008-12-01 20:48 . 2008-12-01 20:48 <DIR> d-------- c:\program files\Verizon Wireless
    2008-11-30 17:55 . 2008-11-30 17:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sprint
    2008-11-29 22:10 . 2008-12-06 13:39 <DIR> d----c--- c:\windows\system32\DRVSTORE
    2008-11-29 22:10 . 2008-10-15 11:58 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
    2008-11-29 22:09 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
    2008-11-29 22:08 . 2008-11-30 17:54 <DIR> d-------- c:\program files\Sierra Wireless
    2008-11-29 22:08 . 2008-11-30 17:54 <DIR> d-------- c:\program files\Common Files\Motorola Shared

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-16 23:41 --------- d-----w c:\program files\MSECache
    2008-11-16 23:37 --------- d-----w c:\program files\Winamp
    2008-11-16 23:37 --------- d-----w c:\program files\SHOUTcast
    2008-11-16 22:39 --------- d-----w c:\documents and settings\Regis Radio\Application Data\Corel
    2008-11-15 18:42 --------- d-----w c:\program files\Power Tab Software
    2008-11-08 19:00 --------- d-----w c:\documents and settings\Regis Radio\Application Data\AdobeUM
    2008-11-08 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
    2008-11-08 07:26 --------- d-----w c:\program files\AWCAST Broadcaster
    2008-11-08 07:22 --------- d-----w c:\program files\Windows Media Connect 2
    2008-11-16 23:46 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold "= "c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
    "DellSupport "= "c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
    "Dell QuickSet "= "c:\program files\Dell\QuickSet\quickset.exe" [2006-08-03 1032192]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
    "dla "= "c:\windows\system32\dla\tfswctrl.exe" [2004-12-05 127035]
    "ISUSPM Startup "= "c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "Google Desktop Search "= "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-16 29744]
    "PCMService "= "c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
    "Corel Photo Downloader "= "c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2006-08-14 462336]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "RRT-Auto "= "c:\documents and settings\Regis Radio\Desktop\RRT(2)\RRT.exe" [2008-12-15 140288]
    "SigmatelSysTrayApp "= "stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

    c:\documents and settings\Regis Radio\Start Menu\Programs\Startup\
    VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2008-12-01 1746224]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-05-01 24576]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe "=
    "c:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=

    R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s []
    R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s []
    S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; "c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-01 29744]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2008-12-01 29824]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2008-12-01 41344]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2008-12-01 39936]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2008-12-01 59776]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - E:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\fCrrpOHX.dll
    BHO-{C68E9C25-C70B-477C-BD5B-D9380CA09799} - c:\windows\system32\yayvuurp.dll
    BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\rsekd83jde.dll
    HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
    SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\rsekd83jde.dll
    ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\fCrrpOHX.dll
    Notify-NavLogon - (no file)


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.dell.com
    uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070501
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Regis Radio\Application Data\Mozilla\Firefox\Profiles\stcbyegs.default\
    FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
    FF - prefs.js: browser.startup.homepage - espn.com
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-16 23:11:05
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(836)
    c:\windows\System32\BCMLogon.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-16 23:12:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-12-17 06:12:35

    Pre-Run: 83,101,159,424 bytes free
    Post-Run: 83,095,089,152 bytes free

    251
     
    Tharps,
    #2


  3. to hide this advert.

  4. 2008/12/18
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Code:
    File::
c:\windows\system32\_MsInfo.msi
C:\MsInfo.msi
c:\windows\system32\yaywvspp.dll
c:\windows\system32\hgggDuSL.dll
c:\windows\system32\bat.dll
    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    **NOTE - Allow ComboFix to update if prompted.

    **NOTE - I recommend you allow the Recovery Console to be downloaded and installed when prompted.
     
    noahdfear,
    #3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...