Software > Computer viruses and spyware
Need help with Virus..."Cannot execute file....Please run Spyware"
dkamis:
I see there are others that are having issues with spyware and everyone was directed to start a new thread. I cannot open my taskmanager and when I open some programs its says it is a virus and cannot continue. I also have a red x on the bottom right of my screen that keeps prompting me to buy anit-spyware programs.
Any help would be much appreciated...
evilfantasy:
Welcome to CH.
Please post the two logs that these scanners will create.
Try not to restart the computer until one of the tools we use does it for you or tells you to.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the next one.
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe
* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log. Please post the rkill.log in the next reply.
* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run then try to immediately run the following.
Download and run exeHelper
* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
dkamis:
Here are the logs. This did get rid of some of the pop up windows right away.
Thanks already, but is there anything else?
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Dan on 02/14/2010 at 17:32:59.
Processes terminated by Rkill or while it was running:
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\WINDOWS\system32\smss32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Documents and Settings\Dan\Desktop\rkill.exe
Rkill completed on 02/14/2010 at 17:33:01.
exeHelper by Raktor
Build 20091220
Run at 17:34:53 on 02/14/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Deleting file C:\WINDOWS\system32\41.exe
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
evilfantasy:
--- Quote from: dkamis on February 14, 2010, 05:36:21 PM ---Thanks already, but is there anything else?
--- End quote ---
Yes. That just got it to where we can do what is needed to actually remove the malware.
If you already have ComboFix be sure to delete it and download a new copy.
Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.
Link #1
Link #2
**Note: It is important that it is saved directly to your Desktop
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
If you have problems with ComboFix usage, see How to use ComboFix
dkamis:
My background is back to normal and i'm not getting the error anymore. What should i do now?
I can't thank you enough. I spent a good 3 hours trying to troubleshoot this problem.
ComboFix 10-02-12.01 - Dan 02/14/2010 19:17:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1202 [GMT -7:00]
Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome.manifest
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome\content\_cfg.js
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\chrome\content\overlay.xul
c:\documents and settings\Dan\Local Settings\Application Data\{A367E2B0-92DA-41DF-8217-2979DC43F88A}\install.rdf
c:\windows\azepevog.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\41.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\helper32.dll
c:\windows\system32\IS15.exe
c:\windows\system32\kekiyala.dll
c:\windows\system32\libupune.dll
c:\windows\system32\namavahe.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\smss32.exe
c:\windows\system32\twain_32.dll
c:\windows\system32\vegorohi.dll
c:\windows\system32\warning.html
c:\windows\system32\winlogon32.exe
c:\windows\Sysvxd.exe
c:\windows\Tasks\hgvedarf.job
c:\windows\TEMP\logishrd\LVPrcInj02.dll
.
((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.
2010-02-14 19:59 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-14 19:43 . 2010-02-14 19:43 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2010-02-14 19:43 . 2010-02-14 19:43 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-02-14 19:37 . 2010-02-14 23:25 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-02-14 18:36 . 2010-02-14 18:36 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-14 18:35 . 2010-02-14 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-14 18:35 . 2010-02-14 18:35 -------- d-----w- c:\program files\Lavasoft
2010-02-14 17:26 . 2010-02-14 17:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-02-13 23:14 . 2010-02-15 01:56 120 ----a-w- c:\windows\Psazabul.dat
2010-02-13 23:14 . 2010-02-14 17:24 0 ----a-w- c:\windows\Uxivarowijehulal.bin
2010-02-10 14:00 . 2010-02-10 14:00 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-02 08:09 . 2010-02-02 08:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-20 01:07 . 2010-01-20 01:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\SupportSoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 02:34 . 2008-02-24 01:47 -------- d-----w- c:\documents and settings\Dan\Application Data\uTorrent
2010-02-15 02:32 . 2008-02-23 22:17 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-15 02:32 . 2008-10-26 13:12 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-10 13:36 . 2008-02-23 22:09 -------- d-----w- c:\documents and settings\Dan\Application Data\Skype
2010-02-10 07:07 . 2008-02-23 22:10 -------- d-----w- c:\documents and settings\Dan\Application Data\skypePM
2010-02-09 02:52 . 2009-11-14 20:56 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-02-02 08:04 . 2008-02-21 14:05 -------- d-----w- c:\program files\Google
2010-01-22 10:16 . 2009-01-21 05:08 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 10:01 . 2008-10-26 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-04 05:31 . 2010-01-04 05:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\DivX
2010-01-03 20:27 . 2010-01-03 20:13 -------- d-----w- c:\program files\TVersity Codec Pack
2010-01-03 20:27 . 2010-01-03 20:27 -------- d-----w- c:\program files\ffdshow
2010-01-03 20:13 . 2010-01-03 20:13 -------- d-----w- c:\program files\TVersity
2010-01-03 20:00 . 2010-01-03 20:00 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2009-12-30 22:09 . 2008-02-24 00:55 86512 ----a-w- c:\documents and settings\Danielle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-30 22:07 . 2008-07-19 16:26 86512 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-21 19:14 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-11-21 16:36 . 2004-08-10 18:50 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-12-30 22:09 . 2009-12-30 22:09 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\bejevopu.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\dejegima.dll
1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\system32\dukiteli.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\fomuboza.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\giremasu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\hulutozu.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\jipiluho.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\jobiwaje.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\system32\kenajibo.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\mepepora.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\motuzesu.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\namogizu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\ninapega.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\nufejoda.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\pitajayi.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\system32\sudinasu.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\tebapema.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\vogomiyi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\system32\wamonewe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\yuvodufu.dll
1601-01-01 00:03 . 1601-01-01 00:03 53760 --sha-w- c:\windows\system32\zowujeba.dll
1601-01-01 00:03 . 1601-01-01 00:03 93184 --sha-w- c:\windows\system32\zuhiwuji.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1e9788dd-adaa-4254-afe2-a3285f7ae197}]
1601-01-01 00:03 53760 --sha-w- c:\windows\system32\fomuboza.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-21 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-04-18 2356088]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-11-29 289584]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-30 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-07-09 65240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-2-21 24576]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli mautcfc.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\Quickcare\bin\sprtcmd.exe /P QuickCare
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Drag-to-Disc\\DrgToDsc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [7/9/2009 12:15 PM 26104]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/2/2010 1:04 AM 135664]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2008 7:05 AM 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 6:19 AM 1184912]
.
Contents of the 'Scheduled Tasks' folder
2010-02-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 13:19]
2010-02-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]
2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 08:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080221
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: turbotax.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {3BF72F68-72D8-461D-A884-329D936C5581} - hxxp://www.totsites.com/admin2/includes/imageuploader5_5_6/ImageUploader5.cab
DPF: {BBF89515-EDB6-4236-8FBB-B6045290076D} - hxxp://www.totsites.com/admin2/includes/imageuploader2/ImageUploader4.cab
FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ufck.org/forums/
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\htcibwlm.default\extensions\[email protected]\plugins\npdevalvr.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-smss32.exe - c:\windows\system32\smss32.exe
HKLM-Run-Vmafoyohovojamaz - c:\windows\azepevog.dll
HKLM-Run-pitotuduf - c:\windows\system32\kekiyala.dll
HKLM-Run-sesuhiyupu - namavahe.dll
SharedTaskScheduler-{6bcd5124-841e-4944-b780-726f8df5a22d} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{04911ed9-e11b-4c9f-a6b9-4abf32464b74} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{216493bc-aa17-44ee-aea7-0c08d17f446d} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{a70d5985-a487-4cb3-a3fb-2cb374e259c0} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{979b9cc0-6b2d-4b68-a537-473c449c22c9} - c:\windows\system32\libupune.dll
SharedTaskScheduler-{d11e4d95-f67b-45a6-a43a-27ef75d1fe4c} - c:\windows\system32\kekiyala.dll
SSODL-bibolurej-{6bcd5124-841e-4944-b780-726f8df5a22d} - c:\windows\system32\libupune.dll
SSODL-kiyefefem-{04911ed9-e11b-4c9f-a6b9-4abf32464b74} - c:\windows\system32\libupune.dll
SSODL-yikebosop-{216493bc-aa17-44ee-aea7-0c08d17f446d} - c:\windows\system32\libupune.dll
SSODL-higakekil-{a70d5985-a487-4cb3-a3fb-2cb374e259c0} - c:\windows\system32\libupune.dll
SSODL-rutepivim-{979b9cc0-6b2d-4b68-a537-473c449c22c9} - c:\windows\system32\libupune.dll
SSODL-behehuzef-{d11e4d95-f67b-45a6-a43a-27ef75d1fe4c} - c:\windows\system32\kekiyala.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 19:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x891A28A0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\iaStor -> 0x891a28a0
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel(R) 82562V 10/100 Network Connection -> SendCompleteHandler -> 0x88935330
PacketIndicateHandler -> NDIS.sys @ 0xb9d9bb21
SendHandler -> NDIS.sys @ 0xb9d7987b
Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(800)
c:\windows\mautcfc.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(9940)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\mautcfc.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\TVersity\Media Server\MediaServer.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
c:\program files\Microsoft Windows OneCare Live\winss.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\logitech\quickcam\lu\lulnchr.exe
c:\program files\logitech\quickcam\lu\LogitechUpdate.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-02-14 19:44:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-15 02:44
Pre-Run: 209,102,614,528 bytes free
Post-Run: 211,878,346,752 bytes free
- - End Of File - - 09D9A1ED619EC56725E7AA1332F515FC
Navigation
[0] Message Index
[#] Next page
Go to full version