Buy Malwarebytes antimalware
Google
The Spykiller
  Home Help Search Calendar Login Register   *
Board Language: Deutsch English
Advertise on this site

Welcome to The Spykiller

You only need to register to  get help with malware cleaning on your computer or take part in the general discussion forums You DO NOT need to register to upload suspicious files for examination or download any of the tools or use any other part of this site.
It takes a very long time and a lot of hard work on our part to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare so a large part of our time is spent helping you

 INSTRUCTIONS - Read This Before Posting For Malware Removal Help
Digg This!
The Spykiller  > Spyware & Malware removal and General computer help > Malware removal and help > Topic: Trojan Gord
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: Trojan Gord  (Read 999 times)
0 Members and 1 Guest are viewing this topic.
m3kgt97
*
Offline Offline

Posts: 7
« on: March 02, 2010, 03:24:02 »
hey guys, i've had this stupid trojan.gord for a week or so now. Tried everything, MBAM, deleting registry keys, removing firefox, etc.  But i still get a virus notice everytime i start the computer.  Any help would be great. 

Here's my HJT log:
Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
C:\Program Files\NavNT\rtvscan.exe
C:\windows\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\windows\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\windows\system32\MsgSys.EXE
C:\windows\Explorer.EXE
C:\WINDOWS\SM1BG.EXE
C:\windows\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\windows\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NavNT\vptray.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\GoZone\GoZone_iSync.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\windows\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Gyoxeluwenuqave] rundll32.exe "C:\windows\uqawunozabulamuf.dll",Startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: GoZone iSync.lnk = C:\Program Files\GoZone\GoZone_iSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155749743656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version7/dlhelper.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/webolr/OCX/FlashAX.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Report to moderator   Logged
Derek
Administrator
*****
Offline Offline

Posts: 11284
« Reply #1 on: March 02, 2010, 19:34:12 »
Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully

Download ComboFix from Here to your Desktop.

**Note:  It is important that it is saved directly to your desktop  and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Very Important! Temporarily disable your anti-virus and  anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this
When finished, it will produce a report for you. 
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. 
Report to moderator   Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.
m3kgt97
*
Offline Offline

Posts: 7
« Reply #2 on: March 03, 2010, 00:35:07 »
ComboFix 10-03-02.02 - Dean 03/02/2010  19:19:56.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.693 [GMT -5:00]
Running from: c:\documents and settings\Dean\My Documents\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dean\Local Settings\Temporary Internet Files\ikejaner.vbs
c:\documents and settings\Dean\Local Settings\Temporary Internet Files\kawoq.scr
c:\documents and settings\Dean\Local Settings\Temporary Internet Files\ycuqemavob.lib
c:\program files\Windows Media Player\pidgen.dll
c:\windows\Downloaded Program Files\dlhelper.dll
c:\windows\exufe.bat
c:\windows\patch.exe
c:\windows\system32\Data
c:\windows\system32\ixytapys.reg
c:\windows\system32\yzow.bat
c:\windows\uqawunozabulamuf.dll

.
original MBR restored successfully !
.
(((((((((((((((((((((((((   Files Created from 2010-02-03 to 2010-03-03  )))))))))))))))))))))))))))))))
.

2010-03-02 21:59 . 2010-03-02 21:59   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-02 21:44 . 2010-03-02 21:44   --------   d-----w-   c:\documents and settings\Dean\Local Settings\Application Data\{B0A546A5-0546-4519-BB20-5798965A2F91}
2010-02-28 17:31 . 2010-02-28 17:31   --------   d-----w-   c:\documents and settings\HelpAssistant\WINDOWS
2010-02-28 16:53 . 2010-02-28 17:31   --------   d-----w-   c:\documents and settings\HelpAssistant
2010-02-27 18:45 . 2010-02-27 18:44   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-27 18:44 . 2010-02-27 18:44   152576   ----a-w-   c:\documents and settings\Dean\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-27 18:43 . 2010-02-27 18:43   79488   ----a-w-   c:\documents and settings\Dean\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 23:26 . 2010-02-25 23:26   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Shaders
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Resource
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Mods
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Miles
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\PublicMaps
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Assets
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\documents and settings\Dean\Application Data\InstallShield Installation Information
2010-02-05 15:39 . 2010-02-05 15:39   251376   ----a-w-   c:\documents and settings\Dean\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-03 01:40 . 2010-02-03 01:40   --------   d-----w-   c:\program files\iPod
2010-02-03 01:40 . 2010-02-03 01:41   --------   d-----w-   c:\program files\iTunes
2010-02-03 01:31 . 2010-02-03 01:31   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 00:14 . 2008-03-10 22:13   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 22:01 . 2004-07-22 20:27   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-02 21:59 . 2009-01-29 00:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-02 03:47 . 2005-12-01 00:01   96384   ----a-w-   c:\windows\system32\drivers\sptd2573.sys
2010-03-02 03:06 . 2009-10-24 07:16   120   ----a-w-   c:\windows\Mhimamisabamomi.dat
2010-03-01 21:50 . 2009-10-24 07:16   0   ----a-w-   c:\windows\Kjelejowe.bin
2010-02-28 23:59 . 2009-08-20 01:54   --------   d-----w-   c:\program files\AIM Toolbar
2010-02-27 18:44 . 2005-09-11 21:42   --------   d-----w-   c:\program files\Java
2010-02-27 00:40 . 2009-05-04 23:23   --------   d-----w-   c:\program files\uTorrent
2010-02-26 01:15 . 2009-05-04 23:23   --------   d-----w-   c:\documents and settings\Dean\Application Data\uTorrent
2010-02-25 23:25 . 2006-01-09 23:03   --------   d-----w-   c:\documents and settings\Dean\Application Data\My Games
2010-02-25 03:20 . 2006-09-15 16:32   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-02-19 23:37 . 2006-01-12 22:45   658   -c--a-w-   c:\program files\ThemeParseLog.txt
2010-02-15 00:45 . 2004-07-22 19:35   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-02-11 04:04 . 2008-02-03 14:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-03 01:40 . 2007-08-19 18:54   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-03 01:36 . 2005-09-14 13:27   --------   d-----w-   c:\program files\QuickTime
2010-01-17 21:07 . 2010-01-17 21:07   --------   d-----w-   c:\program files\GoZone
2010-01-07 21:07 . 2009-01-29 00:41   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-01-29 00:41   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-10-06 22:02   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 15:33   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-18 01:45 . 2009-12-18 01:45   57664   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-16 18:43 . 2004-10-06 22:12   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-10-06 22:12   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-10 01:33 . 2004-10-07 00:04   70960   ----a-w-   c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 19:27 . 2004-10-06 22:02   2189184   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-10-06 22:02   2066048   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-10-06 22:02   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-10-24 07:14 . 2009-10-24 07:14   17444   ----a-w-   c:\program files\Common Files\bydanu.dl
2009-10-23 22:54 . 2009-10-24 07:13   167936   ----a-w-   c:\program files\_scui.vir
2007-08-25 15:14 . 2006-01-12 22:44   808   ----a-w-   c:\program files\_Civ4Config.lnk
2007-08-25 15:14 . 2006-01-12 22:44   793   ----a-w-   c:\program files\_Civ4TransferredMaps.lnk
2007-08-25 15:14 . 2006-01-12 22:44   772   ----a-w-   c:\program files\_Civ4CustomAssets.lnk
2007-08-25 15:14 . 2006-01-12 22:44   765   ----a-w-   c:\program files\_Civ4ScreenShots.lnk
2007-08-25 15:14 . 2006-01-12 22:44   758   ----a-w-   c:\program files\_Civ4CustomMaps.lnk
2007-08-25 15:14 . 2006-01-12 22:44   735   ----a-w-   c:\program files\_Civ4Replays.lnk
2007-08-25 15:14 . 2006-01-12 22:44   724   ----a-w-   c:\program files\_Civ4CustomMods.lnk
2007-08-25 15:14 . 2006-01-12 22:44   719   ----a-w-   c:\program files\_Civ4Patch.lnk
2007-08-25 15:14 . 2006-01-12 22:44   709   ----a-w-   c:\program files\_Civ4Saves.lnk
2007-08-25 15:14 . 2006-01-12 22:44   702   ----a-w-   c:\program files\_Civ4Logs.lnk
2006-01-01 22:26 . 2006-01-12 22:29   10326032   ----a-w-   c:\program files\Civilization4.exe
2005-11-17 01:49 . 2006-01-12 22:29   59904   ----a-w-   c:\program files\zlib1.dll
2005-11-16 01:59 . 2006-01-12 22:29   193024   ----a-w-   c:\program files\binkw32.dll
2005-10-15 07:08 . 2006-01-12 22:04   1867776   ----a-w-   c:\program files\python24.dll
2005-10-15 07:08 . 2006-01-12 22:04   387072   ----a-w-   c:\program files\Mss32.dll
2005-10-15 06:32 . 2006-01-12 22:29   640000   ----a-w-   c:\program files\dbghelp.dll
2005-09-26 04:30 . 2005-09-26 04:30   480   -c--a-w-   c:\program files\SolidWorksswxJRNL.BAK
2004-08-03 04:43 . 2004-08-03 04:43   10135688   -c--a-w-   c:\program files\MPSetupXP.exe
2004-07-29 20:13 . 2004-07-29 20:13   6465104   -c--a-w-   c:\program files\LiveDrvPack_Patch.exe
2004-07-22 20:47 . 2004-07-22 20:47   8586133   -c--a-w-   c:\program files\Cole2k.Media.-.Codec.Pack.V5.48.Advanced.zip
2003-12-02 05:03 . 2004-07-22 20:39   156828   -c----w-   c:\program files\hijackthis.zip
2003-08-27 18:19 . 2004-09-10 19:00   36963   ----a-r-   c:\program files\Common Files\SM1updtr.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ESPN BottomLine"="c:\program files\ESPN\BottomLine\bline.exe" [2002-05-22 155759]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"Google Update"="c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-27 149280]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2005-11-11 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-11-11 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2010-1-17 425984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Wireless-B PCI Adapter Utility.lnk - c:\program files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2004-7-22 4634624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [7/22/2004 3:36 PM 5248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 5:36 PM 30152]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 5:36 PM 30152]
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/22/2004 2:58 PM 95232]
S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [7/22/2004 3:36 PM 160640]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/30/2005 7:01 PM 664064]
S3 oflpydin;oflpydin;\??\c:\docume~1\Dean\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\Dean\LOCALS~1\Temp\oflpydin.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [11/4/2006 8:10 PM 3968]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-515967899-725345543-1004Core.job
- c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 03:26]

2010-03-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-515967899-725345543-1004UA.job
- c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKLM-Run-Gyoxeluwenuqave - c:\windows\uqawunozabulamuf.dll
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe
AddRemove-Webshots Desktop - c:\progra~1\Webshots\UNWISE.EXE
AddRemove-XviD - c:\program files\XviD\UninstXviD.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-02 19:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x871C1C48]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e5f28
\Driver\ACPI -> ACPI.sys @ 0xf7758cb8
\Driver\atapi -> 0x871c1c48
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Instant Wireless-B PCI Adapter -> SendCompleteHandler -> 0x8653d330
 PacketIndicateHandler -> NDIS.sys @ 0xf7611a21
 SendHandler -> NDIS.sys @ 0xf75ef87b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF7FDFC
malicious code @ sector 0x0DF7FDFF !
PE file found in sector at 0x0DF7FE15 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
c:\windows\System32\NavLogon.dll
.
Completion time: 2010-03-02  19:30:24
ComboFix-quarantined-files.txt  2010-03-03 00:30
ComboFix2.txt  2009-01-29 01:34

Pre-Run: 30,668,607,488 bytes free
Post-Run: 30,670,045,184 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - FD0D32EBE716106CD43B81BD32AC03D0
Report to moderator   Logged
Derek
Administrator
*****
Offline Offline

Posts: 11284
« Reply #3 on: March 03, 2010, 18:53:55 »
now please inmstall recovery console as shown here so we can fix things if need be

Combofix has skipped some fixes because RC wasn't installed

Report to moderator   Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.
m3kgt97
*
Offline Offline

Posts: 7
« Reply #4 on: March 03, 2010, 23:11:56 »
i'm pretty sure i installed it both times.  but here it is again. thanks for your help

ComboFix 10-03-03.03 - Dean 03/03/2010  17:03:18.3.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.623 [GMT -5:00]
Running from: c:\documents and settings\Dean\My Documents\Downloads\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dmGRax2.dll

.
original MBR restored successfully !
.
(((((((((((((((((((((((((   Files Created from 2010-02-03 to 2010-03-03  )))))))))))))))))))))))))))))))
.

2010-03-02 21:59 . 2010-03-02 21:59   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-02 21:44 . 2010-03-02 21:44   --------   d-----w-   c:\documents and settings\Dean\Local Settings\Application Data\{B0A546A5-0546-4519-BB20-5798965A2F91}
2010-02-28 17:31 . 2010-02-28 17:31   --------   d-----w-   c:\documents and settings\HelpAssistant\WINDOWS
2010-02-28 16:53 . 2010-02-28 17:31   --------   d-----w-   c:\documents and settings\HelpAssistant
2010-02-27 18:45 . 2010-02-27 18:44   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-27 18:44 . 2010-02-27 18:44   152576   ----a-w-   c:\documents and settings\Dean\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-02-27 18:43 . 2010-02-27 18:43   79488   ----a-w-   c:\documents and settings\Dean\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-02-25 23:26 . 2010-02-25 23:26   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Shaders
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Resource
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Mods
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Miles
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\PublicMaps
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\program files\Assets
2010-02-25 23:25 . 2010-02-25 23:25   --------   d-----w-   c:\documents and settings\Dean\Application Data\InstallShield Installation Information
2010-02-05 15:39 . 2010-02-05 15:39   251376   ----a-w-   c:\documents and settings\Dean\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-02-03 01:40 . 2010-02-03 01:40   --------   d-----w-   c:\program files\iPod
2010-02-03 01:40 . 2010-02-03 01:41   --------   d-----w-   c:\program files\iTunes
2010-02-03 01:31 . 2010-02-03 01:31   72488   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-03 21:57 . 2008-03-10 22:13   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-03-02 22:01 . 2004-07-22 20:27   --------   d-----w-   c:\program files\SpywareBlaster
2010-03-02 21:59 . 2009-01-29 00:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-03-02 03:47 . 2005-12-01 00:01   96384   ----a-w-   c:\windows\system32\drivers\sptd2573.sys
2010-03-02 03:06 . 2009-10-24 07:16   120   ----a-w-   c:\windows\Mhimamisabamomi.dat
2010-03-01 21:50 . 2009-10-24 07:16   0   ----a-w-   c:\windows\Kjelejowe.bin
2010-02-28 23:59 . 2009-08-20 01:54   --------   d-----w-   c:\program files\AIM Toolbar
2010-02-27 18:44 . 2005-09-11 21:42   --------   d-----w-   c:\program files\Java
2010-02-27 00:40 . 2009-05-04 23:23   --------   d-----w-   c:\program files\uTorrent
2010-02-26 01:15 . 2009-05-04 23:23   --------   d-----w-   c:\documents and settings\Dean\Application Data\uTorrent
2010-02-25 23:25 . 2006-01-09 23:03   --------   d-----w-   c:\documents and settings\Dean\Application Data\My Games
2010-02-25 03:20 . 2006-09-15 16:32   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-02-19 23:37 . 2006-01-12 22:45   658   -c--a-w-   c:\program files\ThemeParseLog.txt
2010-02-15 00:45 . 2004-07-22 19:35   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-02-11 04:04 . 2008-02-03 14:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-03 01:40 . 2007-08-19 18:54   --------   d-----w-   c:\program files\Common Files\Apple
2010-02-03 01:36 . 2005-09-14 13:27   --------   d-----w-   c:\program files\QuickTime
2010-01-17 21:07 . 2010-01-17 21:07   --------   d-----w-   c:\program files\GoZone
2010-01-07 21:07 . 2009-01-29 00:41   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-01-29 00:41   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2004-10-06 22:02   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2006-06-23 15:33   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-18 01:45 . 2009-12-18 01:45   57664   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-12-16 18:43 . 2004-10-06 22:12   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2004-10-06 22:12   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-10 01:33 . 2004-10-07 00:04   70960   ----a-w-   c:\documents and settings\Dean\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 19:27 . 2004-10-06 22:02   2189184   ------w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-10-06 22:02   2066048   ------w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2004-10-06 22:02   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-10-24 07:14 . 2009-10-24 07:14   17444   ----a-w-   c:\program files\Common Files\bydanu.dl
2009-10-23 22:54 . 2009-10-24 07:13   167936   ----a-w-   c:\program files\_scui.vir
2007-08-25 15:14 . 2006-01-12 22:44   808   ----a-w-   c:\program files\_Civ4Config.lnk
2007-08-25 15:14 . 2006-01-12 22:44   793   ----a-w-   c:\program files\_Civ4TransferredMaps.lnk
2007-08-25 15:14 . 2006-01-12 22:44   772   ----a-w-   c:\program files\_Civ4CustomAssets.lnk
2007-08-25 15:14 . 2006-01-12 22:44   765   ----a-w-   c:\program files\_Civ4ScreenShots.lnk
2007-08-25 15:14 . 2006-01-12 22:44   758   ----a-w-   c:\program files\_Civ4CustomMaps.lnk
2007-08-25 15:14 . 2006-01-12 22:44   735   ----a-w-   c:\program files\_Civ4Replays.lnk
2007-08-25 15:14 . 2006-01-12 22:44   724   ----a-w-   c:\program files\_Civ4CustomMods.lnk
2007-08-25 15:14 . 2006-01-12 22:44   719   ----a-w-   c:\program files\_Civ4Patch.lnk
2007-08-25 15:14 . 2006-01-12 22:44   709   ----a-w-   c:\program files\_Civ4Saves.lnk
2007-08-25 15:14 . 2006-01-12 22:44   702   ----a-w-   c:\program files\_Civ4Logs.lnk
2006-01-01 22:26 . 2006-01-12 22:29   10326032   ----a-w-   c:\program files\Civilization4.exe
2005-11-17 01:49 . 2006-01-12 22:29   59904   ----a-w-   c:\program files\zlib1.dll
2005-11-16 01:59 . 2006-01-12 22:29   193024   ----a-w-   c:\program files\binkw32.dll
2005-10-15 07:08 . 2006-01-12 22:04   1867776   ----a-w-   c:\program files\python24.dll
2005-10-15 07:08 . 2006-01-12 22:04   387072   ----a-w-   c:\program files\Mss32.dll
2005-10-15 06:32 . 2006-01-12 22:29   640000   ----a-w-   c:\program files\dbghelp.dll
2005-09-26 04:30 . 2005-09-26 04:30   480   -c--a-w-   c:\program files\SolidWorksswxJRNL.BAK
2004-08-03 04:43 . 2004-08-03 04:43   10135688   -c--a-w-   c:\program files\MPSetupXP.exe
2004-07-29 20:13 . 2004-07-29 20:13   6465104   -c--a-w-   c:\program files\LiveDrvPack_Patch.exe
2004-07-22 20:47 . 2004-07-22 20:47   8586133   -c--a-w-   c:\program files\Cole2k.Media.-.Codec.Pack.V5.48.Advanced.zip
2003-12-02 05:03 . 2004-07-22 20:39   156828   -c----w-   c:\program files\hijackthis.zip
2003-08-27 18:19 . 2004-09-10 19:00   36963   ----a-r-   c:\program files\Common Files\SM1updtr.dll
.

(((((((((((((((((((((((((((((   SnapShot@2010-03-03_00.28.14   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-03 21:59 . 2010-03-03 21:59   16384              c:\windows\temp\Perflib_Perfdata_26c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ESPN BottomLine"="c:\program files\ESPN\BottomLine\bline.exe" [2002-05-22 155759]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"Google Update"="c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-13 133104]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-08 86102]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-27 149280]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-11-11 7311360]
"nwiz"="nwiz.exe" [2005-11-11 1519616]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-11-11 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-26 185896]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Dean\Start Menu\Programs\Startup\
GoZone iSync.lnk - c:\program files\GoZone\GoZone_iSync.exe [2010-1-17 425984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Wireless-B PCI Adapter Utility.lnk - c:\program files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2004-7-22 4634624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Dean\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer Generals Zero Hour\\patchget.dat"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7521:TCP"= 7521:TCP:Services

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [7/22/2004 3:36 PM 5248]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 5:36 PM 30152]
R2 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/11/2009 5:36 PM 30152]
R3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\drivers\LSIPNDS.sys [7/22/2004 2:58 PM 95232]
S0 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [7/22/2004 3:36 PM 160640]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/30/2005 7:01 PM 664064]
S3 oflpydin;oflpydin;\??\c:\docume~1\Dean\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\Dean\LOCALS~1\Temp\oflpydin.sys [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [11/4/2006 8:10 PM 3968]
S4 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-515967899-725345543-1004Core.job
- c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 03:26]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-515967899-725345543-1004UA.job
- c:\documents and settings\Dean\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-13 03:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/
mWindow Title = Windows Internet Explorer provided by Comcast
mSearch Bar = hxxp://www.google.com/
mSearchMigratedDefaultURL = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchURL = hxxp://www.google.com/
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 17:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x871DD0A8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf77e5f28
\Driver\ACPI -> ACPI.sys @ 0xf7758cb8
\Driver\atapi -> 0x871dd0a8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
 ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Instant Wireless-B PCI Adapter -> SendCompleteHandler -> 0x86545330
 PacketIndicateHandler -> NDIS.sys @ 0xf7623a21
 SendHandler -> NDIS.sys @ 0xf760187b
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF7FDFC
malicious code @ sector 0x0DF7FDFF !
PE file found in sector at 0x0DF7FE15 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\System32\NavLogon.dll
.
Completion time: 2010-03-03  17:13:51
ComboFix-quarantined-files.txt  2010-03-03 22:13
ComboFix2.txt  2010-03-03 00:30
ComboFix3.txt  2009-01-29 01:34

Pre-Run: 30,722,756,608 bytes free
Post-Run: 30,682,775,552 bytes free

Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - AD7277DC2590700C8636959F42142DA2
Report to moderator   Logged
m3kgt97
*
Offline Offline

Posts: 7
« Reply #5 on: March 03, 2010, 23:29:56 »
well i realized it didnt install again, so i manually tried to install from the link that you posted.  an error came up "Boot partition cannot be enumerated correctly." i have no idea what that means but i'm guessing it has something to do with the recovery console?

Again, thanks for your help. 
Report to moderator   Logged
Derek
Administrator
*****
Offline Offline

Posts: 11284
« Reply #6 on: March 04, 2010, 07:40:08 »
do you have yoir install cd

first though
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

then
download gmer rootkit detector from http://gmer.net

unzip it & double click the gmer.exe file

It will do a quick scan automatically, when that finishes if it says "rootkit activity detected" then Stop there &  press copy & post back the log it makes.
Do NOT allow it to perform a full scan at this time

If there is No warning of rootkit activity then select the rootkit tab & press scan. When it finishes press copy & post back the log it makes
Report to moderator   Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.
Derek
Administrator
*****
Offline Offline

Posts: 11284
« Reply #7 on: March 04, 2010, 07:47:19 »
We need to check your Boot.INI File

Download BootCheck.exe to your desktop.
Double click BootCheck.exe to run it.
Allow it to run when you get the security Warning
When complete, a Notepad window will open with the information I need.
Save the Notepad file to your desktop as BootCheck.txt
Copy and Paste the contents of BootCheck.txt in your next reply please.
Report to moderator   Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.
m3kgt97
*
Offline Offline

Posts: 7
« Reply #8 on: March 05, 2010, 18:29:12 »
the window for bootcheck displayed "cannot find file specified" and this is the only thing that came up when i ran bootcheck:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !

Contents of boot.ini:
Report to moderator   Logged
Derek
Administrator
*****
Offline Offline

Posts: 11284
« Reply #9 on: March 05, 2010, 21:04:16 »
I am not sure this is fixable

do you have your install CD
Report to moderator   Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.
Pages: [1] 2   Go Up
  Print  
The Spykiller  > Spyware & Malware removal and General computer help > Malware removal and help > Topic: Trojan Gord
 « previous next »
 
Jump to:  

Donations

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts


.

Useful Advice and Programs
  
  Information
   Security & Protection Blog
   Prevention
   Using Autoruns
     System Restore
  Rss feeds
     Microsoft at Home
     MSRC
     Malware blog
Kaspersky online scanner
Take the Kaspersky Challenge: See what your current antivirus is missing. Our free online virus scanner is a great way to find out if you have any viruses or spyware on your machine without having to uninstall your current antivirus software or install a new one.

Most importantly, you can see what viruses your current antivirus software let slip through! Now works with ANY Java enabled browser
Stop killing hedgehogs with strimmers
User
Welcome, Guest. Please login or register.
Did you miss your activation email?
August 01, 2010, 03:34:30

Login with username, password and session length
secunia Software inspector

Google ads
RoboForm: Learn more...

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you.
In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

I run this site to help raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the PayPal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running
Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
TinyPortal v0.9.8 © Bloc 		Valid XHTML 1.0! Valid CSS!
Page created in 0.196 seconds with 32 queries.

Google visited last this page July 07, 2010, 21:27:00