You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/
Thank you for your understanding.
Bd Says Clean But Far From It- Please Help!
"If you ever had programs unexpectedly installing on your system, popping up advertisements, saying voice advertisements or playing music, changing (hijacking) your home page (or start page), modifying your search results, displaying search results when you hit a 404 file not found page, dialing out, and so on, your system has probably been compromised by some spyware, adware, trojan, hijacker or dialer."
I ran across that bit of information from a website i found while desperately persuing an answer to the horrid infection. BD came recommended through (uh oh congratulations youve been selected to recieve a Walmart Gift card audio just played), yes recommended from family and has helped them. I was assured BD could help me. Upon downloading, BD did catch and resolve many of my issues, but the bastids mustve been hidden in other files or directories. Where ever it is they are hiding, BD cant find it, yet the pop ups are coming and the Walmart and Wii people are still talking.
Im a normal person who uses her computer everyday and i am selfishly looking for the easiest solution to a most irritating and complex problem, as this is what normal people do. I dont have any of my XP disc, computer registration numbers or anything like that. They have been lost or trashed, so I am unable locate them. Suggestions requiring those would do me little to no good. Dont know how to find my adminstrative password either, guess im pretty sad huh? But am I really worthy of this? I think not.
I have ran the deep scan, quick scan, full system scan and nothing more has been caught. Ive also tried Norton, Microsoft, McAffee and Spybot (seems when i downloaded spybot and it so called cleaned, i had more anti-virus 2008 pop ups in the history of mankind).
I tried doing a CTRL+Alt+Del to see if any funny business was going on there, but all appeared to be normal, but im definitely no guru. I can't do a system restore as once the MalWare infected my comp, it wouldnt allow me to go back to a date that was far enough. Only to Aug 22 which was the day of infection and it only posted times that were after the infection. I cant go back to July or June.
If i could identify the source of the problem, I would be more than happy to post it here, but i cant find it with any software and Im a little skeptical about the ones that said they did find something when not even BD could find it.
I can try to locate the BD logs, but when i click AntiVirus it expands to tabs saying Shields, Virus Scan, Protection and Quarentine. The green bar at the top says no standing issues. Did I not see something or click something?
Can someone please deliver me from MalWare ######.
Seeking Deliverance,
Adrianna
Comments
-
I ran my task manager and found a few suspiscous exe files. I googled them and found crazy results. Apparently most saying these files were MalWare and Trojans.
psiservice.exe
mdm.exe
smss.exe
wdfmgr.exe
csrss.exe
wscntfy.exe
ctfmon.exe0 -
Hello IceXPinkGirl,
Can you please download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections.
Kind regards,
Niels0 -
ComboFix 08-08-27.01 - Compaq_Owner 2008-08-27 14:58:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.981 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\HECEZ32H\bin.clearspring.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\HECEZ32H\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\HECEZ32H\interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\HECEZ32H\interclick.com\ud.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@~~local~~[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ehg-darksideprod.hitbox[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@insightexpressai[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@interclick[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt
C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@turn[1].txt
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM571d8c56.txt
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\befdiqmh.dll
C:\WINDOWS\system32\ddcYSKbb.dll
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\feklafgl.dll
C:\WINDOWS\system32\fwxxenao.ini
C:\WINDOWS\system32\gitaqrnv.exe
C:\WINDOWS\system32\hgGyaBtT.dll
C:\WINDOWS\system32\hokcbt.dll
C:\WINDOWS\system32\jmwnw64r.exe
C:\WINDOWS\system32\kjjobt.dll
C:\WINDOWS\system32\lgfalkef.ini
C:\WINDOWS\system32\mgldvnbh.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\oofztg(2).dll
C:\WINDOWS\system32\oznszm.dll
C:\WINDOWS\system32\qbnupjbr.dll
C:\WINDOWS\system32\qbyoxetc.dll
C:\WINDOWS\system32\rbttpgap.dll
C:\WINDOWS\system32\rqRLbaxX.dll
C:\WINDOWS\system32\TtBayGgh.ini
C:\WINDOWS\system32\TtBayGgh.ini2
C:\WINDOWS\system32\vdhtlfaf.exe
C:\WINDOWS\system32\ylbegcoq.exe
\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.
2008-08-27 14:36 . 2008-08-27 14:41 <DIR> d-------- C:\ComboFix2
2008-08-26 13:50 . 2008-08-26 13:50 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\email-extractor.info
2008-08-26 13:50 . 2004-03-08 17:00 124,688 --a------ C:\WINDOWS\system32\Mswinsck.ocx
2008-08-26 10:00 . 2008-08-26 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 09:38 . 2008-08-26 09:38 <DIR> d-------- C:\Program Files\XoftSpySE
2008-08-23 17:24 . 2008-08-23 17:24 0 --a------ C:\WINDOWS\BM571d8c56.xml
2008-08-23 16:32 . 2008-08-23 16:32 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Symantec
2008-08-23 14:09 . 2008-08-23 14:09 850 --a------ C:\WINDOWS\system32\ProductTweaks.xml
2008-08-23 12:55 . 2007-12-10 16:44 929,792 --a------ C:\WINDOWS\system32\GMHTMLEditor.ocx
2008-08-23 12:55 . 2005-08-09 19:41 614,400 --a------ C:\WINDOWS\system32\cmax40.dll
2008-08-23 12:55 . 2002-01-10 13:44 471,040 --a------ C:\WINDOWS\system32\Vsflex7.ocx
2008-08-23 12:55 . 2002-01-10 14:46 425,984 --a------ C:\WINDOWS\system32\Vsflex7L.ocx
2008-08-23 12:55 . 2003-01-15 20:50 349,224 --a------ C:\WINDOWS\system32\IGThreed40.ocx
2008-08-23 12:55 . 2002-03-27 10:46 159,744 --a------ C:\WINDOWS\system32\dwStg.dll
2008-08-23 12:55 . 2005-03-02 07:07 127,488 --a------ C:\WINDOWS\system32\tssTaskPane1a.ocx
2008-08-23 12:55 . 2005-08-30 13:46 61,440 --a------ C:\WINDOWS\system32\ThinkFTPCMSUpload.ocx
2008-08-23 12:55 . 1998-10-13 14:08 53,248 --a------ C:\WINDOWS\system32\TinyDB6.ocx
2008-08-23 12:54 . 2008-08-23 19:55 <DIR> d-------- C:\Program Files\GroupMail 5
2008-08-23 12:54 . 2008-08-23 12:54 683,801 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\unins000.exe
2008-08-23 12:54 . 2008-08-23 12:57 9,243 --a------ C:\Documents and Settings\Compaq_Owner\Application Data\unins000.dat
2008-08-23 10:13 . 2008-08-23 10:13 385 --a------ C:\WINDOWS\system32\user_gensett.xml
2008-08-22 18:31 . 2008-08-22 18:31 <DIR> d-------- C:\WINDOWS\system32\logs
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\BitDefender
2008-08-22 18:30 . 2008-08-22 18:30 <DIR> d-------- C:\Binaries
2008-08-22 18:28 . 2008-08-22 18:29 <DIR> d-------- C:\Program Files\BitDefender
2008-08-22 18:28 . 2008-08-22 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-08-22 18:26 . 2008-08-22 18:29 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-08-22 17:27 . 2008-08-22 17:27 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-08-22 17:23 . 2008-08-22 21:02 <DIR> d-------- C:\WINDOWS\system32\spol
2008-08-22 17:23 . 2008-08-22 17:23 <DIR> d-------- C:\WINDOWS\system32\jr
2008-08-22 17:23 . 2008-08-23 00:45 <DIR> d-------- C:\WINDOWS\system32\eMaxt02
2008-08-22 17:23 . 2008-08-22 17:23 <DIR> d-------- C:\WINDOWS\system32\drive2
2008-08-22 17:23 . 2008-08-22 21:00 <DIR> d-------- C:\WINDOWS\system32\Cusp
2008-08-22 17:23 . 2008-08-23 10:12 <DIR> d-------- C:\WINDOWS\QWxhbiBCZXNz
2008-08-22 17:23 . 2008-08-22 17:23 <DIR> d-------- C:\TEMP\bbc2
2008-08-22 17:23 . 2008-08-22 17:23 64,896 --a------ C:\WINDOWS\system32\veeqvjifdniurwydp.exe
2008-08-22 17:22 . 2008-08-22 18:38 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 18:54 . 2008-08-14 18:54 102,208 --a------ C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-08-12 18:40 . 2008-08-12 18:40 228,672 --a------ C:\WINDOWS\system32\drivers\bdfsfltr.sys
2008-08-12 18:40 . 2008-08-12 18:40 108,864 --a------ C:\WINDOWS\system32\drivers\bdfm.sys
2008-08-09 08:54 . 2008-08-09 08:54 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\Netscape
2008-08-06 17:51 . 2008-08-06 17:51 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\GlobalSCAPE
2008-08-06 17:51 . 2008-08-06 17:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2008-08-06 10:06 . 2008-08-06 10:06 160,768 --a------ C:\WINDOWS\system32\ijflkoarvnym.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-26 15:21 2,828 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-08-24 00:56 --------- d-----w C:\Program Files\Google
2008-08-24 00:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-24 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-22 23:43 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\LimeWire
2008-08-22 23:02 --------- d-----w C:\Program Files\LimeWire
2008-08-22 21:48 --------- d-----w C:\Program Files\Web Data Extractor 7.1
2008-07-27 04:14 142 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2008-07-27 04:14 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Template
2008-07-15 21:13 --------- d-----w C:\Program Files\ICQ6
2008-07-15 21:13 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\ICQ
2008-07-15 21:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-10 22:54 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Virtual Mechanics
2008-07-10 22:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virtual Mechanics
2008-07-10 22:24 --------- d-----w C:\Program Files\Virtual Mechanics
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\dllcache\es.dll
2008-07-02 18:07 82,568 ----a-w C:\WINDOWS\system32\drivers\BDVEDISK.sys
2008-07-01 02:50 --------- d-----w C:\Program Files\iTunes
2008-07-01 02:50 --------- d-----w C:\Program Files\iPod
2008-06-30 02:08 --------- d-----w C:\Program Files\QuickTime
2008-06-30 02:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 15:57 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-04-26 23:00 17 ----a-w C:\Program Files\Sims2Pack Clean Installer.ini
2007-08-21 09:25 460,928 ----a-w C:\WINDOWS\inf\WN111\Mrvw245.sys
2007-05-24 19:58 249,856 ----a-w C:\WINDOWS\inf\WN111\InsDrv2k.exe
2006-07-05 16:21 212,992 ----a-w C:\WINDOWS\inf\WN111\CopyWHQLDriver.exe
2005-11-17 20:46 845,736 ----a-w C:\WINDOWS\inf\WN111\DPInst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9249cdb9-b513-d98c-da45-b7e61347d903}]
2008-08-06 10:06 160768 --a------ C:\WINDOWS\system32\ijflkoarvnym.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"{7af92ecd-c46e-c64d-4c4d-760512176977}"="C:\WINDOWS\system32\ijflkoarvnym.dll" [2008-08-06 10:06 160768]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe" [2008-08-14 20:14 716800]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe" [2008-08-10 23:53 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless G Desktop Card Client Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G Desktop Card Client Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless G Desktop Card Client Utility.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WN111 Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111 Smart Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WN111 Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN111 Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
backup=C:\WINDOWS\pss\NETGEAR WPN111 Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Registration Heroes of Might & Magic 5.LNK]
path=C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\Registration Heroes of Might & Magic 5.LNK
backup=C:\WINDOWS\pss\Registration Heroes of Might & Magic 5.LNKStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-ra------ 2006-10-23 07:50 71216 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
--a------ 2007-08-28 12:00 531272 C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2007-12-04 05:57 2494464 C:\Program Files\Electronic Arts\EADM\Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2007-10-08 16:50 41824 C:\Program Files\Common Files\AOL\1209799029\ee\aolsoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a------ 2006-02-15 17:34 249856 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-06-02 11:13 267048 C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2005-07-22 17:14 237568 C:\WINDOWS\SMINST\Recguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 17:43 4670704 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7af92ecd-c46e-c64d-4c4d-760512176977}]
--a------ 2008-08-06 10:06 160768 C:\WINDOWS\system32\ijflkoarvnym.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-03-07 23:54 16010240 C:\WINDOWS\RTHDCPL.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\AOL\\1209799029\\ee\\aolsoftware.exe"=
"C:\\Program Files\\Common Files\\AOL\\1209799029\\ee\\AOLDesktop.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ICQ6\\ICQ.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R2 BDVEDISK;BDVEDISK;C:\Program Files\BitDefender\BitDefender 2009\BDVEDISK.sys [2008-07-02 13:07]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 bdfm;BDFM;C:\WINDOWS\system32\drivers\bdfm.sys [2008-08-12 18:40]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-08-14 18:54]
S1 wanatw44;wanatw44;C:\WINDOWS\system32\drivers\wanatw44.sys []
S3 Arrakis3;BitDefender Arrakis Server;C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2008-07-17 13:06]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys []
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\DNINDIS5.SYS [2003-07-24 12:10]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 16:02]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder
2008-08-27 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-19 17:37]
2008-08-26 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-08-19 17:37]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-BM571d8c56 - C:\WINDOWS\system32\qbnupjbr.dll
HKLM-Run-542ebfca - C:\WINDOWS\system32\feklafgl.dll
MSConfigStartUp-ccApp - c:\Program Files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Host Process - C:\WINDOWS\Fonts\svchost.exe
MSConfigStartUp-IS CfgWiz - c:\Program Files\Norton Internet Security\cfgwiz.exe
MSConfigStartUp-runner1 - C:\WINDOWS\faceback1000106.exe
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
MSConfigStartUp-{EB-BF-F6-65-DW} - c:\windows\system32\jmwnw64r.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\r8nuondo.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 15:26:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe
.
**************************************************************************
.
Completion time: 2008-08-27 15:40:50 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-08-27 20:40:44
Pre-Run: 39,586,033,664 bytes free
Post-Run: 39,721,783,296 bytes free
321 --- E O F --- 2008-08-14 08:03:560 -
okay i uploaded the log file incase yall didnt see the post..
/applications/core/interface/file/attachment.php?id=2800" data-fileid="2800" rel="">log.txt
0 -
Indeed it looks like your computer has a lot of malware (or at least suspicious looking files). Please gather as many files from the following list as possible and place them in a password protected archive (preferably with the password "infected" - without the quotes) and attach it to a reply on this thread:
C:\WINDOWS\system32\befdiqmh.dll
C:\WINDOWS\system32\ddcYSKbb.dll
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\feklafgl.dll
C:\WINDOWS\system32\fwxxenao.ini
C:\WINDOWS\system32\gitaqrnv.exe
C:\WINDOWS\system32\hgGyaBtT.dll
C:\WINDOWS\system32\hokcbt.dll
C:\WINDOWS\system32\jmwnw64r.exe
C:\WINDOWS\system32\kjjobt.dll
C:\WINDOWS\system32\lgfalkef.ini
C:\WINDOWS\system32\mgldvnbh.dll
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\oofztg(2).dll
C:\WINDOWS\system32\oznszm.dll
C:\WINDOWS\system32\qbnupjbr.dll
C:\WINDOWS\system32\qbyoxetc.dll
C:\WINDOWS\system32\rbttpgap.dll
C:\WINDOWS\system32\rqRLbaxX.dll
C:\WINDOWS\system32\TtBayGgh.ini
C:\WINDOWS\system32\TtBayGgh.ini2
C:\WINDOWS\system32\vdhtlfaf.exe
C:\WINDOWS\system32\ylbegcoq.exe
C:\WINDOWS\system32\ijflkoarvnym.dll
C:\WINDOWS\system32\veeqvjifdniurwydp.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\es.dll
C:\WINDOWS\system32\dllcache\es.dll
Best regards.0 -
Indeed it looks like your computer has a lot of malware (or at least suspicious looking files). Please gather as many files from the following list as possible and place them in a password protected archive (preferably with the password "infected" - without the quotes) and attach it to a reply on this thread:
Im sincerely not trying to be funny or silly. Im totally new to all of this, so please forgive me. But can you be a little bit more specific? Gather as many files from the following list as possible? Gather them from where? You mean cut and paste this list you typed? Cut and paste it to what and put it where? Is there a way to cut and paste it into a location in BD? Or you mean somewhere else?? Ok and how do i create a password protected archive?
For someone with virus knowledge or a little more comp savvy the generic task will work, but can I have "For Dummies" version? May I trouble you for steps or instructions so i can do what you ask of me?0 -
Im sincerely not trying to be funny or silly. Im totally new to all of this, so please forgive me. But can you be a little bit more specific? Gather as many files from the following list as possible? Gather them from where? You mean cut and paste this list you typed? Cut and paste it to what and put it where? Is there a way to cut and paste it into a location in BD? Or you mean somewhere else?? Ok and how do i create a password protected archive?
For someone with virus knowledge or a little more comp savvy the generic task will work, but can I have "For Dummies" version? May I trouble you for steps or instructions so i can do what you ask of me?
Or do you mean do a search for them on my comp and right click on the file and get BD to.. quarantine it or whatever? LOL Im trying! Im sorry!
0 -
If you happen to find the above-mentioned files in CD-Man's post, please copy them to a specific location (say a newly-created folder on your desktop). After you have copied all of them to the new folder, use an archiving program such as WinZip or WinRar to create an archive (the archiver will create a single file with either a .zip or .rar extension). After the archiving is completed, please attach it to this thread. Should you need further directions, please don't hesitate to ask here.
0 -
Hello IceXPinkGirl,
Please do this click on start,my computer,double click on the icon of your hard disk witch should be C:,you will find a folder called QooBox open it and open the following subfolder Quarantine,C,windows,system 32 there you will find most of the files that Cd-MaN asked. You need to rename them combofix renames the infected files to this: dwwnw64r.exe.vir Right click on it and choose rename remove the .vir in the name confirm the windows message. One advice do not double click on it after you rename them and add them now to an archive. For the other files that Cd-MaN requested you need to open the windows folder and the corresponding folder to give an example:
C:\WINDOWS\Fonts\a.zip Means that you need to open the Fonts subfolder of the windows folder.
Kind regards,
Niels0 -
Indeed it looks like your computer has a lot of malware (or at least suspicious looking files). Please gather as many files from the following list as possible and place them in a password protected archive (preferably with the password "infected" - without the quotes) and attach it to a reply on this thread:
C:\WINDOWS\system32\befdiqmh.dll
C:\WINDOWS\system32\ddcYSKbb.dll
C:\WINDOWS\system32\dwwnw64r.exe
C:\WINDOWS\system32\feklafgl.dll
C:\WINDOWS\system32\fwxxenao.ini
C:\WINDOWS\system32\gitaqrnv.exe
C:\WINDOWS\system32\hgGyaBtT.dll
C:\WINDOWS\system32\hokcbt.dll
C:\WINDOWS\system32\jmwnw64r.exe
C:\WINDOWS\system32\kjjobt.dll
C:\WINDOWS\system32\lgfalkef.ini
C:\WINDOWS\system32\mgldvnbh.dll
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\oofztg(2).dll
C:\WINDOWS\system32\oznszm.dll
C:\WINDOWS\system32\qbnupjbr.dll
C:\WINDOWS\system32\qbyoxetc.dll
C:\WINDOWS\system32\rbttpgap.dll
C:\WINDOWS\system32\rqRLbaxX.dll
C:\WINDOWS\system32\TtBayGgh.ini
C:\WINDOWS\system32\TtBayGgh.ini2
C:\WINDOWS\system32\vdhtlfaf.exe
C:\WINDOWS\system32\ylbegcoq.exe
C:\WINDOWS\system32\ijflkoarvnym.dll
C:\WINDOWS\system32\veeqvjifdniurwydp.exe
C:\WINDOWS\system32\KGyGaAvL.sys
C:\WINDOWS\system32\es.dll
C:\WINDOWS\system32\dllcache\es.dll
Best regards.
I was unable to locate any of those files.0 -
Hello IceXPinkGirl,
Please do this click on start,my computer,double click on the icon of your hard disk witch should be C:,you will find a folder called QooBox open it and open the following subfolder Quarantine,C,windows,system 32 there you will find most of the files that Cd-MaN asked. You need to rename them combofix renames the infected files to this: dwwnw64r.exe.vir Right click on it and choose rename remove the .vir in the name confirm the windows message. One advice do not double click on it after you rename them and add them now to an archive. For the other files that Cd-MaN requested you need to open the windows folder and the corresponding folder to give an example:
C:\WINDOWS\Fonts\a.zip Means that you need to open the Fonts subfolder of the windows folder.
Kind regards,
Niels
I'll try this now..0 -
Hello IceXPinkGirl,
Please do this click on start,my computer,double click on the icon of your hard disk witch should be C:,you will find a folder called QooBox open it and open the following subfolder Quarantine,C,windows,system 32 there you will find most of the files that Cd-MaN asked. You need to rename them combofix renames the infected files to this: dwwnw64r.exe.vir Right click on it and choose rename remove the .vir in the name confirm the windows message. One advice do not double click on it after you rename them and add them now to an archive. For the other files that Cd-MaN requested you need to open the windows folder and the corresponding folder to give an example:
C:\WINDOWS\Fonts\a.zip Means that you need to open the Fonts subfolder of the windows folder.
Kind regards,
Niels
Thanks Niels! I was able to get most of those on the list. Some werent there. I put the ones i could find in a zip and I also made a list in notepad i will include that here also. Im trying to upload the winzip of the files, but it keeps saying You did not select a file to upload?
0 -
the file is too large...
" />
0 -
Hello IceXPinkGirl,
That is because that there is a 2 mb file upload limit for attachments. Did you already tried to change the compression grade in winzip? That can also reduce the file size of your archive.What you can do is upload it to an online file host and just add the download link in a text file . Take a look at this topic more specifically the latest post.
Kind regards,
Niels0
