Virusss helppp comp crashingg

SweepeRSweepeR
edited December 2008 in Spyware & Virus Removal
Ok i am on my account that I am currently in the processing of getting my computer fixed but I am on another persons computer right now trying to help them remove a virus issue they are having as well.

so please dont merge this with my current thread its 2 different computers and issues.

This computer currently does not load on windows unless its in safe mode. I keep getting the Yellow ! mark in toolbar wehre the clock is saying I have a virus click this etc etc but by diong that it will completely crash my computer as I had a personal experience with this myself 2 yrs ago.

How can I fix this? Ive ran ESET NOD32 and Spysweeper but no luck. Just removes spyware and NOD found 32 issues but didnt fix anything.

Help! BTW the computer was just built and hasnt been used for more then possibly 8 hours so I dont know how the hell this occured.

Comments

  • KatanaKatana
    edited December 2008
    Download and Run ComboFix (by sUBs)
    Please visit this webpage for instructions for downloading and running ComboFix:

    Bleeping Computer ComboFix Tutorial

    Post the log from ComboFix when you've accomplished that.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper



    Malwarebytes' Anti-Malware

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • SweepeRSweepeR
    edited December 2008
    Malwarebytes' Anti-Malware 1.31
    Database version: 1464
    Windows 5.1.2600 Service Pack 2
    12/5/2008 6:31:16 PM
    mbam-log-2008-12-05 (18-31-16).txt
    Scan type: Full Scan (C:\|E:\|F:\|)
    Objects scanned: 74708
    Time elapsed: 15 minute(s), 2 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 4
    Registry Keys Infected: 23
    Registry Values Infected: 3
    Registry Data Items Infected: 15
    Folders Infected: 9
    Files Infected: 63
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\system32\yayawxxw.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\jkkJcAsr.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\xflxnr.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\gtckad.dll (Trojan.Zlob) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2eb03981-0486-4084-9cda-8767d300916f} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{2eb03981-0486-4084-9cda-8767d300916f} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkjcasr (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{61d70260-527c-44e8-bb23-2243e93808d3} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b3d4bf7e-8ac8-480b-a334-d7bba7166433} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IExplorer add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup (Trojan.Zlob) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{61d70260-527c-44e8-bb23-2243e93808d3} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\quicktime task (Trojan.Zlob) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayawxxw -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\yayawxxw -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: msansspc.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e58fb138-4a08-42b2-8e08-94c3e91e912e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e58fb138-4a08-42b2-8e08-94c3e91e912e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e58fb138-4a08-42b2-8e08-94c3e91e912e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e6e11b40-6d35-4ebe-a33f-c10e80ab4f25}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.58;85.255.112.173 -> Quarantined and deleted successfully.
    Folders Infected:
    C:\Program Files\InetGet2 (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Start Menu\Programs\homeview (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    Files Infected:
    C:\WINDOWS\system32\yayawxxw.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\wxxwayay.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wxxwayay.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jkkJcAsr.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\pdrrwiwm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mwiwrrdp.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gtckad.dll (Trojan.Zlob.H) -> Delete on reboot.
    C:\WINDOWS\system32\xflxnr.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Documents and Settings\Red\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\qpgiqmsi1.exe (Zlob.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\qpgiqmsi2.exe (Rootkit.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\tmp2B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\tmp54.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\__51.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\components\srff.dll (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    C:\Program Files\Webtools\webtools.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{53B117F1-C09B-4452-84E3-9D44743606E3}\RP32\A0017711.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{53B117F1-C09B-4452-84E3-9D44743606E3}\RP34\A0018753.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\abtbvy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\evskttmj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\gbxuyofh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mlJBSjgg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\puptkplq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\sphgai.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\browseu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\hpmon.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\hpmun.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\hpmun.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\myc.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\myd.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\mym.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\myp.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\myv.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\ot.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\qttask.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\qttaskm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\qttasku.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\WebMediaViewer\ts.ico (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Program Files\homeview\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Start Menu\Programs\homeview\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\sys_32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\msansspc.dll (Trojan.Agent) -> Delete on reboot.
    C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Application Data\Twain\Twain.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tempo-74F.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tempo-FDD.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\tempo-FF7.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Favorites\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Desktop\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Online Spyware Test.url (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\qpgiqmsi0.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Red\Local Settings\Temp\qpgiqmsi3.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Desktop\Online Spyware Test.url (Rogue.Link) -> Quarantined and deleted successfully.
  • SweepeRSweepeR
    edited December 2008
    ComboFix 08-12-05.02 - Administrator 2008-12-05 18:54:30.1 - NTFSx86 NETWORK
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2829 [GMT -8:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\autorun.inf
    c:\documents and settings\Red\Local Settings\Temporary Internet Files\bestwiner.stt
    c:\documents and settings\Red\Local Settings\Temporary Internet Files\fbk.sts
    c:\windows\system32\upgqqcly.ini
    c:\windows\system32\vvwlcmxy.ini
    c:\windows\wiaserviv.log
    E:\Autorun.inf
    E:\resycled
    e:\resycled\boot.com
    .
    ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
    .
    2008-12-05 18:03 . 2008-12-05 18:03 <DIR> d
    c:\program files\Malwarebytes' Anti-Malware
    2008-12-05 18:03 . 2008-12-05 18:03 <DIR> d
    c:\documents and settings\All Users\Application Data\Malwarebytes
    2008-12-05 18:03 . 2008-12-05 18:03 <DIR> d
    c:\documents and settings\Administrator\Application Data\Malwarebytes
    2008-12-05 18:03 . 2008-12-03 19:52 38,496 --a
    c:\windows\system32\drivers\mbamswissarmy.sys
    2008-12-05 18:03 . 2008-12-03 19:52 15,504 --a
    c:\windows\system32\drivers\mbam.sys
    2008-12-05 00:45 . 2008-12-05 00:45 <DIR> d
    c:\documents and settings\Administrator\Application Data\Talkback
    2008-12-05 00:36 . 2008-12-05 00:36 <DIR> d
    c:\documents and settings\Administrator\Application Data\Webroot
    2008-12-05 00:32 . 2008-12-05 00:32 <DIR> d
    c:\documents and settings\Administrator
    2008-12-04 23:24 . 2008-12-04 23:24 <DIR> d
    c:\program files\ESET
    2008-12-04 23:24 . 2008-12-04 23:24 <DIR> d
    c:\documents and settings\All Users\Application Data\ESET
    2008-12-04 23:10 . 2008-12-05 00:07 27,904 --a
    c:\windows\system32\drivers\Ndisprot.sys
    2008-12-04 23:09 . 2008-12-04 23:09 2,405 --a
    c:\documents and settings\Red\S87ekhV.exe
    2008-12-04 18:16 . 2006-05-04 19:02 380,928 --a
    c:\windows\system32\drivers\rt61.sys
    2008-12-04 18:16 . 2005-12-15 10:38 315,392 --a
    c:\windows\system32\AegisI5.exe
    2008-12-04 18:16 . 2006-05-15 16:25 295,028 --a
    c:\windows\system32\Install6x.dll
    2008-12-04 18:16 . 2008-12-04 18:16 21,275 --a
    c:\windows\system32\drivers\AegisP.sys
    2008-12-04 18:16 . 2006-04-06 13:15 8,192 --a
    c:\windows\system32\drivers\RT2661.bin
    2008-12-04 18:16 . 2006-04-06 13:15 8,192 --a
    c:\windows\system32\drivers\RT2561s.bin
    2008-12-04 18:16 . 2006-04-06 13:15 8,192 --a
    c:\windows\system32\drivers\RT2561.bin
    2008-12-04 18:16 . 2006-03-10 15:33 78 --a
    c:\windows\filespec6x
    2008-12-04 18:15 . 2008-12-04 18:15 <DIR> d
    c:\program files\RALINK
    2008-11-30 14:53 . 2008-11-30 14:53 <DIR> d
    c:\program files\TVAnts
    2008-11-30 06:26 . 2008-11-30 06:28 <DIR> d
    c:\program files\SopCast
    2008-11-30 01:47 . 2008-11-30 01:48 <DIR> d
    c:\program files\Pop up Blocker Pro
    2008-11-29 19:09 . 2008-12-05 18:31 <DIR> d
    c:\documents and settings\Red\Application Data\Twain
    2008-11-27 12:41 . 2008-11-27 12:41 <DIR> d
    c:\program files\Webroot
    2008-11-27 12:41 . 2008-11-27 12:41 <DIR> d
    c:\documents and settings\Red\Application Data\Webroot
    2008-11-27 12:41 . 2008-11-27 12:41 <DIR> d
    c:\documents and settings\LocalService\Application Data\Webroot
    2008-11-27 12:41 . 2008-11-27 12:41 <DIR> d
    c:\documents and settings\All Users\Application Data\Webroot
    2008-11-27 12:41 . 2006-07-07 16:41 117,248 --a
    c:\windows\system32\drivers\ssidrv.sys
    2008-11-27 12:41 . 2006-07-07 16:41 15,360 --a
    c:\windows\system32\drivers\sshrmd.sys
    2008-11-27 12:41 . 2006-07-07 16:41 14,848 --a
    c:\windows\system32\drivers\sskbfd.sys
    2008-11-27 12:41 . 2006-07-07 16:41 13,824 --a
    c:\windows\system32\drivers\SSFS041A.sys
    2008-11-26 13:01 . 2004-08-04 00:56 21,504 --a
    c:\windows\system32\hidserv.dll
    2008-11-26 13:01 . 2004-08-04 00:56 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
    2008-11-26 13:01 . 2001-08-17 13:48 12,160 --a
    c:\windows\system32\drivers\mouhid.sys
    2008-11-26 13:01 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
    2008-11-26 13:00 . 2001-08-17 14:02 9,600 --a
    c:\windows\system32\drivers\hidusb.sys
    2008-11-26 13:00 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys
    2008-11-26 08:57 . 2008-11-26 08:57 <DIR> d
    c:\windows\nview
    2008-11-26 08:57 . 2008-11-12 13:45 453,152 --a
    c:\windows\system32\NVUNINST.EXE
    2008-11-26 08:57 . 2008-11-12 14:54 453,152 --a
    c:\windows\system32\nvudisp.exe
    2008-11-26 08:57 . 2008-12-05 00:12 203,520 --a
    c:\windows\system32\nvapps.xml
    2008-11-26 08:57 . 2008-11-12 14:54 18,537 --a
    c:\windows\system32\nvdisp.nvu
    2008-11-26 08:30 . 2008-11-26 08:30 <DIR> d
    c:\documents and settings\Red\Application Data\Talkback
    2008-11-26 08:30 . 2008-11-26 08:30 25 --a
    c:\windows\cdplayer.ini
    2008-11-26 08:30 . 2008-11-26 08:30 0 --a
    c:\windows\nsreg.dat
    2008-11-26 08:29 . 2008-11-26 08:29 <DIR> d
    c:\program files\Real
    2008-11-26 08:29 . 2008-11-26 08:29 <DIR> d
    c:\program files\Common Files\xing shared
    2008-11-26 08:29 . 2008-11-26 08:29 <DIR> d
    c:\program files\Common Files\Real
    2008-11-26 08:29 . 2008-11-26 08:29 499,712 --a
    c:\windows\system32\msvcp71.dll
    2008-11-26 08:07 . 2008-11-26 08:07 <DIR> d
    c:\program files\NETGEAR
    2008-11-26 08:07 . 2003-10-16 09:51 335,296 --a
    c:\windows\system32\drivers\wg121nd5.sys
    2008-11-26 08:07 . 2003-07-24 12:10 94,208 --a
    c:\windows\system32\DNIN50.dll
    2008-11-26 08:07 . 2003-09-23 11:37 77,926 --a
    c:\windows\system32\wg121.dll
    2008-11-25 20:00 . 2008-11-25 20:00 <DIR> d
    c:\documents and settings\All Users\Application Data\CyberLink
    2008-11-25 19:59 . 2008-11-25 20:00 <DIR> d
    c:\program files\CyberLink
    2008-11-11 01:43 . 2008-11-11 01:43 <DIR> d
    c:\program files\PC Wizard 2008
    2008-11-11 01:43 . 2007-09-15 16:11 27,136 --a
    c:\windows\system32\PCWizard.cpl
    2008-11-10 23:41 . 2008-11-10 23:44 316,640 --a
    c:\windows\WMSysPr9.prx
    2008-11-10 23:41 . 2004-08-04 00:56 59,392 --a
    c:\windows\system32\logman.exe
    2008-11-10 23:41 . 2004-08-04 00:56 9,216 --a
    c:\windows\system32\proxycfg.exe
    2008-11-10 23:39 . 2004-07-17 11:40 19,528 --a
    c:\windows\002171_.tmp
    2008-11-10 23:38 . 2008-11-10 23:38 <DIR> d
    c:\windows\EHome
    2008-11-09 15:41 . 2004-08-03 23:07 68,224 --a
    c:\windows\system32\drivers\pci.sys
    2008-11-09 15:41 . 2007-07-26 16:15 53,248 -ra
    c:\windows\system32\CSVer.dll
    2008-11-08 14:31 . 2008-11-08 14:31 <DIR> d
    c:\program files\PC Drivers HeadQuarters
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-05 02:15
    d--h--w c:\program files\InstallShield Installation Information
    2008-11-30 15:27 196,608 ----a-w c:\windows\system32\drivers\nStandard.bin
    2008-11-26 16:57
    d
    w c:\program files\Common Files\Wise Installation Wizard
    2008-11-26 16:57
    d
    w c:\program files\AGEIA Technologies
    2008-11-26 16:29 348,160 ----a-w c:\windows\system32\msvcr71.dll
    2008-11-26 03:58
    d
    w c:\program files\Common Files\InstallShield
    2008-11-05 07:48 12,288 ----a-w c:\windows\system32\drivers\EIO64_xp.sys
    2008-11-05 07:48
    d
    w c:\program files\ASUS
    2008-11-05 06:27
    d
    w c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2008-11-02 07:57
    d
    w c:\program files\SystemRequirementsLab
    2008-11-02 07:21
    d
    w c:\program files\GIGABYTE
    2008-11-01 23:02
    d
    w c:\program files\Common Files\Adobe AIR
    2008-11-01 23:01
    d
    w c:\program files\Common Files\Adobe
    2008-11-01 22:59
    d
    w c:\program files\NOS
    2008-11-01 22:59
    d
    w c:\documents and settings\All Users\Application Data\NOS
    2008-10-26 07:15
    d
    w c:\program files\My Company Name
    2008-10-26 07:07
    d
    w c:\program files\Google
    2008-10-25 18:56
    d
    w c:\program files\Realtek
    2008-10-25 18:54
    d
    w c:\program files\Yahoo!
    2008-10-25 18:54
    d
    w c:\program files\Intel
    2008-10-25 18:47
    d
    w c:\program files\microsoft frontpage
    2008-10-13 22:12 30,657 ----a-w c:\program files\nv4_disp.cat
    2008-10-13 17:56 70,936 ----a-w c:\windows\system32\PhysXLoader.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelTraditionalChinese.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelSwedish.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelSpanish.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelSimplifiedChinese.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelPortugese.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelKorean.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelJapanese.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelGerman.dll
    2008-10-07 17:13 58,648 ----a-w c:\windows\system32\AgCPanelFrench.dll
    2008-10-07 17:13 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
    2008-10-07 17:13 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe
    2008-10-07 17:13 23,320 ----a-w c:\windows\system32\PhysXDevice.dll
    2008-09-04 17:26 51,790,104 ----a-r c:\program files\PhysX_8.09.04_SystemSoftware.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GBB36X Configure"="c:\windows\System32\JMRaidTool.exe" [2006-07-12 356352]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "ASUSGamerOSD"="c:\program files\ASUS\GamerOSD\GamerOSD.exe" [2008-05-28 380928]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-26 185872]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
    "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 3871744]
    "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
    "SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 c:\windows\RTHDCPL.exe]
    "nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Ralink Wireless Utility.lnk - c:\program files\RALINK\Common\RaUI.exe [2008-12-04 614400]
    Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2008-11-26 274432]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=xflxnr.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.asv2"= asusasv2.dll
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\TVAnts\\Tvants.exe"=
    R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;c:\windows\system32\Drivers\SSFS041A.SYS [2008-11-27 13824]
    R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-07-01 34312]
    S0 zqcotch;zqcotch;c:\windows\system32\drivers\ypsxaou.sys []
    S1 EIO_XP;EIO_XP;\??\c:\windows\system32\drivers\EIO_XP.sys [2008-10-25 12288]
    S2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-07-01 468224]
    S3 asusgsb;ASUS Virtual Video Capture Device Driver;c:\windows\system32\drivers\asusgsb.sys [2008-11-04 12416]
    S3 ASUSVRC;ASUSTeK Virtual Capture Device;c:\windows\system32\DRIVERS\AsusVRC.sys [2007-01-29 18432]
    S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-01 33752]
    S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys [2008-11-04 10752]
    S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\windows\system32\DRIVERS\wg121nd5.sys [2008-11-26 335296]
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com c:
    \Shell\Open\command - resycled\boot.com c:
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Autorun.exe
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com e:
    \Shell\Open\command - e:\resycled\boot.com e:
    *Newly Created Service* - PROCEXP90
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.yahoo.com
    mStart Page = hxxp://www.yahoo.com
    uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
    IE: {B7834EE7-B223-4FA5-A3BE-3D8137D7EF28} - c:\program files\Pop up Blocker Pro\pdie.exe
    IE: {B7834EE7-B223-4FA5-A3BE-3D8137D7EF28} - c:\program files\Pop up Blocker Pro\pdie.exe -
    c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
    hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    c:\windows\Downloaded Program Files\SysReqLab3.osd
    FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\t4rmstgw.default\
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-05 18:55:30
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files:
    **************************************************************************
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
    "imagepath"="\systemroot\system32\drivers\msqpdxpaxtoeqh.sys"
    .
    DLLs Loaded Under Running Processes
    - - - - - - - > 'winlogon.exe'(628)
    c:\windows\system32\WRLogonNTF.dll
    .
    Completion time: 2008-12-05 18:55:48
    ComboFix-quarantined-files.txt 2008-12-06 02:55:47
    Pre-Run: 239,985,082,368 bytes free
    Post-Run: 240,532,377,600 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    214
  • KatanaKatana
    edited December 2008
    Step 1

    We Need to Verify your DNS Configuration
    1. Please download DNSCheck and save it to your desktop.
    2. Double click dnscheckdesktopicon.png on your desktop.
    3. Follow the on-screen instructions. When done, a log will open, and be saved to the desktop.
    4. Please copy and paste that log in your next reply.
    Step 2


    Flash Disinfector by sUBs
    Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

    • Double-click Flash_Disinfector.exe to run it.
    • Follow any prompts that may appear.
    • Wait until the program has finished scanning, then please exit the program.
      The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.

    Please restart your computer.
    Step 3

    Upload a File

    Please open >> THIS << page.

    Click the Browse button next to File 1
    Copy/paste the following file name into the new window next to File Name
      File 1
      c:\documents and settings\Red\S87ekhV.exe
      File 2
      c:\windows\system32\drivers\msqpdxpaxtoeqh.sys



      Now click Upload
      Step 4


      Custom CFScript
      • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
        http://icrontic.com/forum/showthread.php?p=657952#post657952
Comment:: Katana
Collect::[4]
c:\documents and settings\Red\S87ekhV.exe
c:\windows\system32\drivers\msqpdxpaxtoeqh.sys
Driver::
zqcotch
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\C]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\E]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msqpdxserv.sys]
ADS::
      • Save this as CFScript.txt and place it on your desktop.


        CFScriptb.gif


      • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
      • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
      • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
      • A window will open asking you to ensure you are connected to the internet, this is so a file can be submitted for analysis.
      • Click OK and follow the instructions to submit the file.


      CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
      Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

      Step 5

      Kaspersky Online Scanner .
      Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
      NOTE:- This scan is best done from IE (Internet Explorer)
      NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
      Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

      Read the Requirements and limitations before you click Accept.
      Once the database has downloaded, click My Computer in the left pane
      Now go and put the kettle on !
      When the scan has completed, click Save Report As...
      Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
      Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


      **Note**

      To optimize scanning time and produce a more sensible report for review:
      • Close any open programs.
      • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

      Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
      Step 6

      Logs/Information to Post in Reply
      Please post the following logs/Information in your reply
      • DNS Check Log
      • Combofix Log
      • Kaspersky Log
      • How are things running now ?
    • KatanaKatana
      edited December 2008
      Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you. This topic is now closed.

      Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

      If you are not the user who started this thread, you must start your own Thread instead :)
    Sign In or Register to comment.