Author Topic: Wierd virus (Read 6011 times)

alienwarem7700 · « **on:** March 22, 2010, 06:30:40 PM »

i saved a hijack this file so im going to copy and paste that but when i boot my computer the bottom taskbar is locked in the hidden position (windows xp sp3), also the internet sends me to a belkin hotel login screen, finally besides other problems i cannot drag and drop or open malwarebytes i hav kav 2010 and it cannot find anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:15 AM, on 3/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User '?')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253326129388
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253326163263
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe

--
End of file - 3959 bytes

SuperDave · « **Reply #1 on:** March 23, 2010, 08:42:10 AM »

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper.

Please download exeHelper from Raktor to your desktop.

Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. A log file named log.txt will be created in the directory where you ran exeHelper.com Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
================================

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post
================================
Malwarebytes' Anti-Malware (MBAM)

If you already have Malwarebytes be sure to check for updates before scanning!

Download Malwarebytes Anti-Malware and save it to your desktop. Alternate download link

•Double-click mbam-setup.exe and follow the prompts to install the program.

•Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

•If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

•If an update is found, it will download and install the latest version.
•Once the program has loaded, select Perform Quick Scan, then click Scan.

•When the scan is complete, click OK, then Show Results to view the results.

•Be sure that everything is checked, and click Remove Selected.

•When completed, a log will open in Notepad. Save it to a convenient location like the Desktop.

•The log is also automatically saved and can be viewed later by clicking the Logs tab in MBAM.

•Copy and Paste the contents of the report in your reply.

•Exit MBAM.
.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

alienwarem7700 · « **Reply #2 on:** March 23, 2010, 01:34:34 PM »

ok this is what i got i couldnt install sas because the windows installer service wasnt started (i can't start this manually or any service) also when i ran rkill it closed the whole shell so i had to run taskmgr then start explorer.exe in order to continue i will copy and paste the logs (all the files were transfered using a flashdrive considering i cant get online with the other computer)

also i dont know if i had mentioned before that malwarebytes will not open here is the error
"Run-time error '372':
failed to load control 'vbalsGrid' form vbalgrind6.ocx. Your version of vbalsgrind6.osx may be outdated. Make sure you are using the latest version of the control that was provided with your application. "

exeHelper by Raktor
Build 20091220
Run at 17:32:46 on 03/23/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 03/23/2010 at 17:31:19.

Processes terminated by Rkill or while it was running:

Rkill completed on 03/23/2010 at 17:31:25.

im stumped

SuperDave · « **Reply #3 on:** March 23, 2010, 07:16:18 PM »

Ok. Let's try this.
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Important:. Rename it before you save it to your flashdrive.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools ]A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

alienwarem7700 · « **Reply #4 on:** March 23, 2010, 08:20:35 PM »

i have ran combofx several times i will get the txt file shortly

alienwarem7700 · « **Reply #5 on:** March 23, 2010, 08:33:37 PM »

ok this is the last time i ran it file, the quarantined file and a txt file named add/remove programs

what i found that was odd is they were not found under the combofx folder but a folder c:\qoobox (i didnot create this file)

first is the last time ran :
ComboFix 10-03-14.04 - Owner 03/14/2010 22:30:07.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.559 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\Combofx.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\install_flash_player.exe
c:\program files\Cheat Engine\dbk32.sys
c:\recycler\S-1-5-21-2557824024-1178833378-110756417-500

.
((((((((((((((((((((((((( Files Created from 2010-02-15 to 2010-03-15 )))))))))))))))))))))))))))))))
.

2010-03-11 04:20 . 2010-03-11 04:59   --------   d-----w-   c:\documents and settings\Owner\Application Data\Apple Computer
2010-03-11 04:20 . 2009-05-18 19:17   26600   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-11 04:20 . 2008-04-17 18:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2010-03-11 04:19 . 2010-03-11 04:19   --------   d-----w-   c:\program files\iPod
2010-03-11 04:18 . 2010-03-11 04:20   --------   d-----w-   c:\program files\iTunes
2010-03-11 04:18 . 2010-03-11 04:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-11 04:18 . 2010-03-11 04:18   --------   d-----w-   c:\program files\Bonjour
2010-03-11 04:17 . 2010-03-11 04:18   --------   d-----w-   c:\program files\QuickTime
2010-03-11 04:17 . 2010-03-11 04:18   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-11 04:17 . 2010-03-11 04:17   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Apple
2010-03-11 04:17 . 2010-03-11 04:17   --------   d-----w-   c:\program files\Apple Software Update
2010-03-11 04:17 . 2009-08-29 00:42   40448   ----a-w-   c:\windows\system32\drivers\usbaapl.sys
2010-03-11 04:17 . 2009-08-29 00:42   2065696   ----a-w-   c:\windows\system32\usbaaplrc.dll
2010-03-11 04:16 . 2010-03-11 04:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2010-03-11 04:16 . 2010-03-11 04:19   --------   d-----w-   c:\program files\Common Files\Apple
2010-03-11 04:01 . 2009-10-23 15:28   3558912   -c----w-   c:\windows\system32\dllcache\moviemk.exe
2010-03-04 04:29 . 2010-03-11 05:05   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\Apple Computer
2010-02-18 03:45 . 2010-02-18 03:45   --------   d-----w-   c:\program files\YouTube Downloader
2010-02-18 03:43 . 2010-02-18 03:43   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\TubeTilla
2010-02-18 03:10 . 2010-02-18 03:11   --------   d-----w-   c:\documents and settings\Owner\Application Data\ManyCam
2010-02-18 03:10 . 2010-02-18 03:11   --------   d-----w-   c:\program files\ManyCam 2.4
2010-02-15 23:41 . 2010-02-15 23:41   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 02:33 . 2010-02-04 04:16   --------   d-----w-   c:\program files\Cheat Engine
2010-03-15 02:24 . 2009-12-16 02:52   --------   d-----w-   c:\documents and settings\Owner\Application Data\uTorrent
2010-03-15 01:05 . 2009-12-17 04:37   --------   d-----w-   c:\program files\PeerGuardian2
2010-03-13 17:27 . 2009-12-16 02:52   --------   d-----w-   c:\program files\uTorrent
2010-02-24 14:16 . 2009-10-04 03:55   181632   ------w-   c:\windows\system32\MpSigStub.exe
2009-12-31 16:50 . 2006-06-17 09:23   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2006-06-17 09:23   667136   ----a-w-   c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2006-06-17 09:23   81920   ----a-w-   c:\windows\system32\ieencode.dll
2009-12-17 04:32 . 2009-12-17 04:32   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-12-17 04:31 . 2009-12-17 04:31   152576   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-17 04:31 . 2009-12-17 04:31   79488   ----a-w-   c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-16 18:43 . 2006-06-17 09:35   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 13:35 . 2009-12-16 13:35   128   ----a-w-   c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-12-16 05:16 . 2009-09-19 02:14   4844296   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-21 61440]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-17 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-09-01 02:57   169984   ----a-w-   c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-09-19 02:44   133104   ----atw-   c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-02-15 23:07   141608   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44   3883856   ----a-w-   c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PrismXL"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"ose"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [9/20/2009 11:20 PM 14976]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/31/2009 10:26 PM 200576]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 AM 21632]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*Deregistered* - pgfilter
.
Contents of the 'Scheduled Tasks' folder

2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1861525334-4237561970-3360464881-1006Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-19 02:44]

2010-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1861525334-4237561970-3360464881-1006UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-19 02:44]

2009-09-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-17 00:12]

2010-03-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-14 22:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-03-14 22:35:18
ComboFix-quarantined-files.txt 2010-03-15 02:35

Pre-Run: 72,925,417,472 bytes free
Post-Run: 73,000,374,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 0C6092FE8EC49C9F9B91E6ECF76B3941

next is the add/remove programs file?:

µTorrent
7-Zip 4.65
Active@ ISO Burner
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATITool Overclocking Utility
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Cheat Engine 5.5
CompuApps SwissKnife V3
Conexant AC-Link Audio
DV TS
DVD Solution
EVEREST Home Edition v2.20
Google Chrome
Google Desktop
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
ImTOO MPEG Encoder Platinum
iTunes
Java(TM) 6 Update 17
Kaspersky Anti-Virus 2010
Malwarebytes' Anti-Malware
ManyCam 2.4 (remove only)
Media Player Codec Pack 3.9.1
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
MSVCRT
MSXML 6 Service Pack 2 (KB954459)
PeerGuardian 2.0
Power2Go 4.0
PowerDVD
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Segoe UI
Skins
Soft Data Fax Modem with SmartCP
Sonic Encoders
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebFldrs XP
Windows 7 USB/DVD Download Tool
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
YouTube Downloader 2.5.3

finally is the quarantined file

2010-03-15 02:32:54 . 2010-03-17 06:59:07 6,608 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-03-15 02:25:31 . 2010-03-17 06:53:58 255 ----a-w- C:\Qoobox\Quarantine\catchme.log
2010-02-04 04:33:10 . 2009-01-27 23:43:54 36,096 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Cheat Engine\dbk32.sys.vir

SuperDave · « **Reply #6 on:** March 24, 2010, 12:28:10 PM »

P2P - I see you have P2P software installed on your machine. (uTorrent) We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
=============================================

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

================================================
ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the Back button then click Finish.

In your next reply please include the ESET Online Scan Log
=====================
Please let me know how your computer is working now.

alienwarem7700 · « **Reply #7 on:** March 24, 2010, 12:42:46 PM »

im not sure if you actually read my previous responses and took them into consideration because i cannot install/remove anything i cant go online i cant do practically anything

SuperDave · « **Reply #8 on:** March 24, 2010, 04:08:10 PM »

Ok. Please describe to me what happens when you boot your computer. Are you able to boot in Normal Mode? Do you get to your desktop?. Are other programs running correctly?

KornmonGrim · « **Reply #9 on:** March 27, 2010, 10:16:20 AM »

We know that you have some kind of malware or something I'd say it is malware because of you're computers activity. What you can do is:
EDITED.

Computer Hope Forum

News:

Author Topic: Wierd virus (Read 6011 times)

alienwarem7700

Wierd virus

SuperDave

Re: Wierd virus

alienwarem7700

Re: Wierd virus

SuperDave

Re: Wierd virus

alienwarem7700

Re: Wierd virus

alienwarem7700

Re: Wierd virus

SuperDave

Re: Wierd virus

alienwarem7700

Re: Wierd virus

SuperDave

Re: Wierd virus

KornmonGrim

Re: Wierd virus