Welcome guest, is this your first visit? Click the "Create Account" button now to join.
Results 1 to 8 of 8
  1. #1


    Join Date : Mar 2009
    Posts : 3

    It all started when i made a scan with "Malwarebytes" and i Deleted the files that were infected with a Trojan. After words I lost my access or function to my Local-Disk, System Restore(restore points), and for some time i lost Audio plus anything that had to do with the internet(but got them back :3). But I don't how to get the function of my Local Disk and System Restore. So my queston is how do i get those back? If anyone can help i would greatly appreciate the help.

    Here's the Log Malwareytes did after the files were deleted i hope it helps;






    Malwarebytes' Anti-Malware 1.31
    Database version: 1483
    Windows 5.1.2600 Service Pack 2

    3/1/2009 5:13:24 PM
    mbam-log-2009-03-01 (17-13-24).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 167273
    Time elapsed: 2 hour(s), 9 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3ab8ab33-9605-489c-9b20-10806d057441}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3ab8ab33-9605-489c-9b20-10806d057441}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3ab8ab33-9605-489c-9b20-10806d057441}\NameServer (Trojan.DNSChanger) -> Data: 85.255.116.130,85.255.112.191 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{6746008A-8B9A-4710-A3DF-8D61CAF8B975}\RP169\A0038733.exe (Trojan.Agent) -> Quarantined and deleted successfully.
      My System SpecsSystem Spec

  2. #2


    Join Date : Sep 2008
    Posts : 2,891

    Re: PC isnt working like it should (Malwareby

    Welcome BrutalWaffle!

    I'm sorry - what do you mean by you lost "function to your local disk"?

    I see DNSChanger in your Malwarebytes log. We need to ensure that is gone as well as scan for other issues.

    Please go to a DOS prompt - Start -> Run -> cmd {enter}. At the resulting prompt please type

    ipconfig /flushdns {enter}

    Exit DOS and reboot please.

    Please download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://www.forospyware.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
    Double-click on ComboFix.exe & follow the prompts.
    If it will not run rename Combofix to xxx.exe and run that.
    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes to continue scanning for malware.
    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
      My System SpecsSystem Spec

  3. #3


    Join Date : Mar 2009
    Posts : 3

    Re: PC isnt working like it should (Malwareby

    During the scan it said to wright this down;
    C:\WINDOWS\system32\drivers\gaopdxduwyrjoo.sys
    C:\WINDOWS\system32\drivers\gaopdxdulktkeg.dll

    And this is the txt


    C:\Combofix.txt

    ComboFix 09-03-02.01 - willy guerra 2009-03-02 16:19:17.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.275 [GMT -5:00]
    Running from: c:\documents and settings\willy guerra\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Autorun.inf
    c:\documents and settings\willy guerra\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    c:\recycler\S-2-3-98-100014573-100012714-100030910-5118.com
    c:\windows\system32\dgjlm.ini
    c:\windows\system32\dgjlm.ini2
    c:\windows\system32\drivers\gaopdxmnmmnrhe.sys
    c:\windows\system32\drivers\gaopdxusdmtbbp.sys
    c:\windows\system32\drivers\gaopdxxuwyrjoo.sys
    c:\windows\system32\drivers\gaopdxydxuhamx.sys
    c:\windows\system32\gaopdxcounter
    c:\windows\system32\gaopdxdulktkeg.dll
    c:\windows\system32\jjjlm.ini
    c:\windows\system32\jjjlm.ini2
    c:\windows\system32\jwgurwhn.ini
    c:\windows\system32\ldjoywos.ini
    c:\windows\system32\nogayeda.dll
    c:\windows\system32\npdbollo.ini
    c:\windows\system32\rybouram.ini
    c:\windows\system32\teqyqdpr.ini
    c:\windows\system32\wiwejive.dll
    c:\windows\system32\xmoidhhq.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_gaopdxserv.sys


    ((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
    .

    2009-03-01 19:18 . 2009-03-01 23:42 <DIR> d-------- c:\windows\system32\NtmsData
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\program files\iTunes
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\program files\iPod
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2009-02-28 13:26 . 2009-02-28 13:26 <DIR> d-------- c:\program files\Bonjour
    2009-02-27 16:58 . 2009-02-27 16:58 <DIR> d-------- c:\program files\LiveUpdate
    2009-02-27 16:57 . 2004-08-03 23:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
    2009-02-27 16:57 . 2004-08-03 23:08 25,600 --a--c--- c:\windows\system32\dllcache\usbser.sys
    2009-02-27 16:56 . 2009-02-27 16:57 <DIR> d-------- c:\program files\mobile PhoneTools
    2009-02-27 16:56 . 2009-02-27 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
    2009-02-27 16:55 . 2009-02-27 16:55 <DIR> d-------- c:\program files\Motorola
    2009-02-25 17:06 . 2009-02-25 22:26 <DIR> d-------- C:\EasyVideoConvert
    2009-02-25 17:04 . 2009-02-25 22:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
    2009-02-25 17:04 . 1999-09-10 12:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
    2009-02-25 17:04 . 1999-09-10 12:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
    2009-02-25 17:04 . 1999-09-10 12:06 5,600 --a------ c:\windows\system\WINASPI.DLL
    2009-02-25 17:04 . 1999-09-10 12:06 4,672 --a------ c:\windows\system\WOWPOST.EXE
    2009-02-22 23:49 . 2009-03-01 18:40 <DIR> d-------- c:\program files\Perfect World Entertainment
    2009-02-22 23:46 . 2005-05-10 18:54 258,352 --a------ c:\windows\system32\unicows.dll
    2009-02-22 22:02 . 2009-02-22 23:28 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\GetRightToGo
    2009-02-21 19:34 . 2009-02-21 19:50 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\IMVUClient
    2009-02-21 19:34 . 2009-02-28 16:43 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\IMVU
    2009-02-21 18:27 . 2009-02-21 18:28 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\SecondLife
    2009-02-19 21:10 . 2009-02-19 21:10 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\Yahoo!
    2009-02-19 21:10 . 2009-02-19 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2009-02-19 21:08 . 2009-02-19 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
    2009-02-16 19:21 . 2009-02-16 19:21 <DIR> d-------- c:\program files\DownloadToolz
    2009-02-11 01:00 . 2009-02-11 01:00 <DIR> d-------- C:\1a392c5d785ec320221663
    2009-02-10 21:24 . 2009-01-07 08:47 5,699,584 --a------ c:\windows\system32\SET163.tmp
    2009-02-10 19:13 . 2009-02-10 19:13 42,320 --a------ c:\windows\system32\xfcodec.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-02 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
    2009-02-28 18:27 --------- d-----w c:\program files\Common Files\Apple
    2009-02-28 18:25 --------- d-----w c:\program files\QuickTime
    2009-02-27 21:58 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-02-27 04:15 --------- d-----w c:\program files\AIMTunes
    2009-02-22 17:00 --------- d-----w c:\program files\Xfire
    2009-02-21 23:08 --------- d-----w c:\documents and settings\willy guerra\Application Data\Xfire
    2009-02-20 02:10 --------- d-----w c:\program files\Yahoo!
    2009-02-12 05:00 --------- d-----w c:\documents and settings\willy guerra\Application Data\MegauploadToolbar
    2009-02-11 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-02-08 20:31 --------- d-----w c:\documents and settings\willy guerra\Application Data\McAfee
    2009-01-18 21:35 --------- d-----w c:\program files\Windows Live
    2009-01-18 21:34 --------- d-----w c:\program files\Windows Live Toolbar
    2009-01-18 07:45 --------- d-----w c:\program files\Java
    2009-01-18 07:35 --------- d-----w c:\program files\Guild Wars
    2009-01-11 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
    2009-01-11 03:16 --------- d-----w c:\program files\Messenger Plus! Live
    2009-01-09 04:03 --------- d-----w c:\program files\Common Files\Adobe
    2008-03-27 03:38 22,328 ------w c:\documents and settings\willy guerra\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 418632]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

    c:\documents and settings\willy guerra\Start Menu\Programs\Startup\
    Alienware News Feed.lnk - c:\program files\Stardock\DesktopGadgets\Alienware News Feed\Alienware News Feed.exe [2008-05-18 523952]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\windows\system32\logonui.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo Server\\haloded.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\ijji\\ENGLISH\\u_gunz.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
    "c:\\Program Files\\iPod\\bin\\iPodService.exe"=
    "c:\\WINDOWS\\system32\\dumprep.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [2004-10-05 15872]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-07 24652]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{E967A704-1E1A-4A75-B6CD-78237E5734DC} - c:\windows\system32\mljgd.dll
    BHO-{F598474E-0CF0-4520-BA43-ED847C0CBC96} - c:\windows\system32\mljjj.dll
    HKCU-Run-Aim6 - (no file)


    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\willy guerra\Start Menu\Programs\IMVU\Run IMVU.lnk
    FF - ProfilePath - c:\documents and settings\willy guerra\Application Data\Mozilla\Firefox\Profiles\wuw9jb3w.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-02 16:26:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-789336058-299502267-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(572)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-02 16:31:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-02 21:30:22

    Pre-Run: 46,796,251,136 bytes free
    Post-Run: 46,992,056,320 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    220 --- E O F --- 2009-02-25 05:29:18
      My System SpecsSystem Spec

  4. #4


    Join Date : Sep 2008
    Posts : 2,891

    Re: PC isnt working like it should (Malwareby

    Brutal,

    Are you familiar with BlizzardDownloader? I'm trying to determine if that is legit or not...

    3724:TCP"= 3724:TCP:Blizzard Downloader
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
    It's IMPORTANT to carry out the instructions in the sequence listed below.
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    Open *notepad* and copy/paste the text in the quotebox below into it:

    File::

    C:\WINDOWS\system32\drivers\gaopdxdulktkeg.dll
    c:\windows\system32\SET163.tmp

    Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


    Refering to the picture above, drag CFScript.txt into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt
    Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

    *Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

    When that is complete, please run https://www.grc.com/x/ne.dll?bh0bkyd2. I'll take resulting logs when you have them. Thanks!
      My System SpecsSystem Spec

  5. #5


    Join Date : Mar 2009
    Posts : 3

    Re: PC isnt working like it should (Malwareby

    I've heard about BlizzardDownloader, but never used it and i don't know much about it.



    Combofix


    ComboFix 09-03-02.01 - willy guerra 2009-03-02 17:23:02.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.221 [GMT -5:00]
    Running from: c:\documents and settings\willy guerra\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\willy guerra\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    c:\windows\system32\drivers\gaopdxdulktkeg.dll
    c:\windows\system32\SET163.tmp
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\SET163.tmp

    .
    ((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 )))))))))))))))))))))))))))))))
    .

    2009-03-01 19:18 . 2009-03-01 23:42 <DIR> d-------- c:\windows\system32\NtmsData
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\program files\iTunes
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\program files\iPod
    2009-02-28 13:27 . 2009-02-28 13:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2009-02-28 13:26 . 2009-02-28 13:26 <DIR> d-------- c:\program files\Bonjour
    2009-02-27 16:58 . 2009-02-27 16:58 <DIR> d-------- c:\program files\LiveUpdate
    2009-02-27 16:57 . 2004-08-03 23:08 25,600 --a------ c:\windows\system32\drivers\usbser.sys
    2009-02-27 16:57 . 2004-08-03 23:08 25,600 --a--c--- c:\windows\system32\dllcache\usbser.sys
    2009-02-27 16:56 . 2009-02-27 16:57 <DIR> d-------- c:\program files\mobile PhoneTools
    2009-02-27 16:56 . 2009-02-27 17:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
    2009-02-27 16:55 . 2009-02-27 16:55 <DIR> d-------- c:\program files\Motorola
    2009-02-25 17:06 . 2009-02-25 22:26 <DIR> d-------- C:\EasyVideoConvert
    2009-02-25 17:04 . 2009-02-25 22:13 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
    2009-02-25 17:04 . 1999-09-10 12:06 45,056 --a------ c:\windows\system32\WNASPI32.DLL
    2009-02-25 17:04 . 1999-09-10 12:06 25,244 --a------ c:\windows\system32\drivers\ASPI32.SYS
    2009-02-25 17:04 . 1999-09-10 12:06 5,600 --a------ c:\windows\system\WINASPI.DLL
    2009-02-25 17:04 . 1999-09-10 12:06 4,672 --a------ c:\windows\system\WOWPOST.EXE
    2009-02-22 23:49 . 2009-03-01 18:40 <DIR> d-------- c:\program files\Perfect World Entertainment
    2009-02-22 23:46 . 2005-05-10 18:54 258,352 --a------ c:\windows\system32\unicows.dll
    2009-02-22 22:02 . 2009-02-22 23:28 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\GetRightToGo
    2009-02-21 19:34 . 2009-02-21 19:50 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\IMVUClient
    2009-02-21 19:34 . 2009-02-28 16:43 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\IMVU
    2009-02-21 18:27 . 2009-02-21 18:28 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\SecondLife
    2009-02-19 21:10 . 2009-02-19 21:10 <DIR> d-------- c:\documents and settings\willy guerra\Application Data\Yahoo!
    2009-02-19 21:10 . 2009-02-19 21:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
    2009-02-19 21:08 . 2009-02-19 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo!
    2009-02-16 19:21 . 2009-02-16 19:21 <DIR> d-------- c:\program files\DownloadToolz
    2009-02-11 01:00 . 2009-02-11 01:00 <DIR> d-------- C:\1a392c5d785ec320221663
    2009-02-10 19:13 . 2009-02-10 19:13 42,320 --a------ c:\windows\system32\xfcodec.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-02 21:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
    2009-02-28 18:27 --------- d-----w c:\program files\Common Files\Apple
    2009-02-28 18:25 --------- d-----w c:\program files\QuickTime
    2009-02-27 21:58 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-02-27 04:15 --------- d-----w c:\program files\AIMTunes
    2009-02-22 17:00 --------- d-----w c:\program files\Xfire
    2009-02-21 23:08 --------- d-----w c:\documents and settings\willy guerra\Application Data\Xfire
    2009-02-20 02:10 --------- d-----w c:\program files\Yahoo!
    2009-02-12 05:00 --------- d-----w c:\documents and settings\willy guerra\Application Data\MegauploadToolbar
    2009-02-11 20:05 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
    2009-02-08 20:31 --------- d-----w c:\documents and settings\willy guerra\Application Data\McAfee
    2009-01-18 21:35 --------- d-----w c:\program files\Windows Live
    2009-01-18 21:34 --------- d-----w c:\program files\Windows Live Toolbar
    2009-01-18 07:46 410,984 ----a-w c:\windows\system32\deploytk.dll
    2009-01-18 07:45 --------- d-----w c:\program files\Java
    2009-01-18 07:35 --------- d-----w c:\program files\Guild Wars
    2009-01-11 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\Messenger Plus!
    2009-01-11 03:16 --------- d-----w c:\program files\Messenger Plus! Live
    2009-01-09 04:03 --------- d-----w c:\program files\Common Files\Adobe
    2009-01-02 21:40 265,488 ----a-w c:\windows\system32\rn.tmp
    2008-03-27 03:38 22,328 ------w c:\documents and settings\willy guerra\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-02-19 418632]
    "Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4363504]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-31 185896]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]

    c:\documents and settings\willy guerra\Start Menu\Programs\Startup\
    Alienware News Feed.lnk - c:\program files\Stardock\DesktopGadgets\Alienware News Feed\Alienware News Feed.exe [2008-05-18 523952]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\windows\system32\logonui.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    --a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
    "c:\\Program Files\\Xfire\\xfire.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
    "c:\\Program Files\\Microsoft Games\\Halo Server\\haloded.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
    "c:\\ijji\\ENGLISH\\u_gunz.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
    "c:\\Program Files\\iPod\\bin\\iPodService.exe"=
    "c:\\WINDOWS\\system32\\dumprep.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3724:TCP"= 3724:TCP:Blizzard Downloader
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    R2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;c:\program files\VMLaunch\BuddyVM.sys [2004-10-05 15872]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-07 24652]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-24 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\willy guerra\Start Menu\Programs\IMVU\Run IMVU.lnk
    FF - ProfilePath - c:\documents and settings\willy guerra\Application Data\Mozilla\Firefox\Profiles\wuw9jb3w.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
    FF - prefs.js: network.proxy.type - 4
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-02 17:25:34
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-789336058-299502267-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(572)
    c:\windows\system32\Ati2evxx.dll
    .
    Completion time: 2009-03-02 17:29:35
    ComboFix-quarantined-files.txt 2009-03-02 22:28:18
    ComboFix2.txt 2009-03-02 21:31:42

    Pre-Run: 47,002,898,432 bytes free
    Post-Run: 46,999,855,104 bytes free

    178 --- E O F --- 2009-02-25 05:29:18












    Hijack Log



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:56:00 PM, on 3/2/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18241)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Stardock\CursorFX\CursorFX.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: Alienware News Feed.lnk = C:\Program Files\Stardock\DesktopGadgets\Alienware News Feed\Alienware News Feed.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\willy guerra\Start Menu\Programs\IMVU\Run IMVU.lnk
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7070 bytes
      My System SpecsSystem Spec

  6. #6


    Join Date : Sep 2008
    Posts : 2,891

    Re: PC isnt working like it should (Malwareby

    Brutal,

    Because of the below entries showing Blizzard Downloader on your system, I want to make sure that you run the ShieldsUp tool from the below link. That will ensure that the appropriate ports are closed on your system.

    Quote Originally Posted by DCiAdmin, post: 349077

    Are you familiar with BlizzardDownloader? I'm trying to determine if that is legit or not...

    3724:TCP"= 3724:TCP:Blizzard Downloader
    "6112:TCP"= 6112:TCP:Blizzard Downloader

    When that is complete, please run https://www.grc.com/x/ne.dll?bh0bkyd2. I'll take resulting logs when you have them. Thanks!
      My System SpecsSystem Spec

  7. #7

    Re: PC isnt working like it should (Malwareby

    Hello,

    I'm just following up. Do you still require assistance in removing your malware? Or can we put this one to bed?

    If you are still in need of assistance please follow the procedure located at the top of the forum.

    Regards,
    Crush
    PCHF Security Team Leader
      My System SpecsSystem Spec

  8. #8

    Re: PC isnt working like it should (Malwareby

    Hello,

    This thread has been moved into the Unfinished HJT forum due to inactivity. Please follow the procedure at the top of the forum if you still require assistance

    Regards,
    Crush
    PCHF Security Team Leader
      My System SpecsSystem Spec