September 17th, 2009, 08:13 AM
asee
New Member
Join Date: Sep 2009
O/S: Windows Vista
Posts: 1
PC has W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm virus - need help removing

Hello to all,

For the past few days my computer has been bogged down with slow load times on everything from operations to Internet browsing - including random pop-ups from IE7 when I solely use Firefox 3.5.3.

As of two days ago, I got a pop-up that said:

Remove the W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm virus from your computer

This problem was caused by W32/Gaobot.worm.gen.u - Win32/RBot.3eu!Worm, a known computer virus.
While I have tried to run my anti-virus software it's seemingly not working. I cannot get Trend Micro PC-cillin Internet Security to quit, which means I cannot uninstall it either, despite several attempts (it's just says 'Loading...').

I use MS Vista and I also keep getting the error message that the b.exe has stopped working.

I have hopped around forums looking for guidance, but haven't found a helpful string yet and I was hoping someone could help me identify how to fix this issue. The only action I've taken was uninstall Viewpoint Media Player from my programs, as I saw that recommended a few times in other forum threads.

If possible, please help.
September 17th, 2009, 10:07 AM
touch's Avatar
touch
Malware Removal Team
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
Hello asee and welcome to CTH

We need to get a comprehensive report of what is present in your system.

Please download DDS: Here
to your Desktop and doubleclick on DDs.scr to run it.
If your security software includes script blocking features, please disable these before you run this utility.
There are details for disabling many programmes Here

When the scan has finished, two logs will open.
Copy and paste both reports in this topic.

The logs will be reasonably large so you may have to divide them into sections and make several posts to post them.

Before you provide them, we ask that you remove any P2P/file sharing programs if you have any, and this includes Torrent software, before we clean your computer.
October 29th, 2009, 11:59 AM
dominate20
New Member
Join Date: Oct 2009
Posts: 2
DDS (Ver_09-10-26.01) - NTFSX64
Run by nate at 6:45:33.95 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4057.2407 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stw rt64.inf_cce24a4c\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Windows\System32\DriverStore\FileRepository\stw rt64.inf_cce24a4c\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Toolbar\wltuser.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.ex e
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\nate\AppData\Local\Microsoft\Windows\Temp orary Internet Files\Content.IE5\FMCH0U2M\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uDefault_Page_URL = hxxp://www.msn.com
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~2\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files (x86)\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files (x86)\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files (x86)\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files (x86)\windows live\toolbar\wltcore.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files (x86)\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Desktop Software] "c:\program files (x86)\common files\supportsoft\bin\bcont.exe" /ini "c:\program files (x86)\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden
uRun: [TomTomHOME.exe] "c:\program files (x86)\tomtom home 2\TomTomHOMERunner.exe"
uRun: [RegistryMechanic] c:\program files (x86)\registry mechanic\RMTray.exe /S
uRun: [PopRock] c:\users\nate\appdata\local\temp\b.exe
uRun: [WMPNSCFG] c:\program files (x86)\windows media player\WMPNSCFG.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] "c:\program files (x86)\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Dell Webcam Central] "c:\program files (x86)\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files (x86)\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\program files (x86)\cozi express\CoziProtocolHandler.dll
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~2\mcafee\msk\MSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO-X64: scriptproxy - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [Apoint] c:\program files\delltpad\Apoint.exe
mRun-x64: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe
mRun-x64: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun-x64: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun-x64: [Persistence] c:\windows\system32\igfxpers.exe
mRun-x64: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun-x64: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
mRun-x64: [IAAnotif] "c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe"

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHl pa64.sys [2009-3-7 53488]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filereposi tory\stwrt64.inf_cce24a4c\AESTSr64.exe [2009-3-7 88576]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
R2 SeaPort;SeaPort;c:\program files (x86)\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx64coinst,serviceStartProc --> RUNDLL32.EXE ykx64coinst,serviceStartProc [?]
R3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw4v64.sys [2007-9-26 3196416]
R3 OA009Ufd;Creative Camera OA009 Upper Filter Driver;c:\windows\system32\drivers\OA009Ufd.sys [2009-3-6 159840]
R3 OA009Vid;Creative Camera OA009 Function Driver;c:\windows\system32\drivers\OA009Vid.sys [2009-3-19 311296]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2009-3-7 392192]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework6 4\v2.0.50727\mscorsvw.exe [2009-5-3 93184]
S3 NETw3v64;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 Ph3xIB64;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB64.sys [2007-4-3 1418112]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2009-10-21 03:04:59 2621440 ----a-w- c:\windows\system32\wucltux.dll
2009-10-21 03:04:17 98816 ----a-w- c:\windows\system32\wudriver.dll
2009-10-21 03:04:17 87552 ----a-w- c:\windows\syswow64\wudriver.dll
2009-10-21 03:04:16 575704 ----a-w- c:\windows\syswow64\wuapi.dll
2009-10-21 03:04:16 35552 ----a-w- c:\windows\syswow64\wups.dll
2009-10-21 03:03:36 36864 ----a-w- c:\windows\system32\wuapp.exe
2009-10-21 03:03:36 33792 ----a-w- c:\windows\syswow64\wuapp.exe
2009-10-21 03:03:36 185416 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-21 03:03:36 171608 ----a-w- c:\windows\syswow64\wuwebv.dll
2009-10-21 01:24:06 0 d-----w- c:\programdata\Roxio
2009-10-19 16:43:32 418 ----a-w- c:\users\nate\Documents - Shortcut.lnk
2009-10-16 21:40:52 4682824 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 21:32:42 818688 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 21:32:42 604672 ----a-w- c:\windows\syswow64\WMSPDMOD.DLL
2009-10-16 05:30:00 268800 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-16 05:29:59 213504 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-10-16 05:29:54 174592 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 05:29:51 82944 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 05:29:50 61440 ----a-w- c:\windows\syswow64\msasn1.dll
2009-10-07 06:50:32 0 d---a-w- c:\programdata\TEMP
2009-10-07 06:50:29 506368 ----a-w- c:\windows\syswow64\msxml.dll
2009-10-07 06:50:28 24576 ----a-w- c:\windows\syswow64\STKIT432.DLL
2009-10-07 06:50:28 1081616 ----a-w- c:\windows\syswow64\MSCOMCTL.OCX
2009-10-06 23:51:45 0 d-----w- c:\users\nate\appdata\roaming\Malwarebytes
2009-10-06 23:51:37 22104 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-06 23:51:37 0 d-----w- c:\programdata\Malwarebytes
2009-10-06 22:19:21 65536 --sha-w- c:\users\nate\ntuser.dat{26d929e6-b2bb-11de-b2f8-0023ae21a93a}.TM.blf
2009-10-06 22:19:21 524288 --sha-w- c:\users\nate\ntuser.dat{26d929e6-b2bb-11de-b2f8-0023ae21a93a}.TMContainer00000000000000000002.regt rans-ms
2009-10-06 22:19:21 524288 --sha-w- c:\users\nate\ntuser.dat{26d929e6-b2bb-11de-b2f8-0023ae21a93a}.TMContainer00000000000000000001.regt rans-ms
2009-10-06 10:34:27 0 d-sh--w- C:\found.000
2009-10-05 23:38:18 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2009-10-05 23:38:17 149280 ----a-w- c:\windows\syswow64\javaws.exe
2009-10-05 23:38:17 145184 ----a-w- c:\windows\syswow64\javaw.exe
2009-10-05 23:38:17 145184 ----a-w- c:\windows\syswow64\java.exe
2009-10-05 22:48:59 0 d-----w- c:\users\nate\appdata\roaming\McAfee
2009-10-05 21:29:04 238960 ------w- c:\windows\system32\MpSigStub.exe
2009-10-05 21:22:17 0 d-----w- c:\windows\system32\EventProviders
2009-10-04 04:14:16 65536 --sha-w- c:\users\nate\ntuser.dat{61d5fca2-b099-11de-88f6-0023ae21a93a}.TM.blf
2009-10-04 04:14:16 524288 --sha-w- c:\users\nate\ntuser.dat{61d5fca2-b099-11de-88f6-0023ae21a93a}.TMContainer00000000000000000002.regt rans-ms
2009-10-04 04:14:16 524288 --sha-w- c:\users\nate\ntuser.dat{61d5fca2-b099-11de-88f6-0023ae21a93a}.TMContainer00000000000000000001.regt rans-ms
2009-10-04 03:49:04 0 d-----w- c:\programdata\Xerox
2009-10-04 03:37:23 0 d-----w- c:\users\nate\appdata\roaming\Reallusion
2009-10-04 03:36:26 0 d-----w- c:\programdata\Creative

==================== Find3M ====================

2009-10-20 21:05:52 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-20 21:05:52 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-10-20 21:05:50 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-05 23:05:56 80 ----a-w- c:\users\nate\appdata\roaming\wklnhst.dat
2009-09-16 14:22:40 49480 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22:40 308296 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22:40 102472 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:15:38 40904 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-08-31 14:03:21 375808 ----a-w- c:\windows\system32\psisdecd.dll
2009-08-31 14:03:20 558592 ----a-w- c:\windows\system32\EncDec.dll
2009-08-31 13:55:09 293376 ----a-w- c:\windows\syswow64\psisdecd.dll
2009-08-31 13:55:05 428544 ----a-w- c:\windows\syswow64\EncDec.dll
2009-08-28 12:51:05 32256 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 12:39:07 28672 ----a-w- c:\windows\syswow64\Apphlpdm.dll
2009-08-28 10:39:32 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-28 10:15:30 4240384 ----a-w- c:\windows\syswow64\GameUXLegacyGDFs.dll
2009-08-27 05:52:18 1147904 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:47:24 132096 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:47:23 77312 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\syswow64\wininet.dll
2009-08-27 05:22:15 1208832 ----a-w- c:\windows\syswow64\urlmon.dll
2009-08-27 05:20:52 206848 ----a-w- c:\windows\syswow64\occache.dll
2009-08-27 05:18:40 5940224 ----a-w- c:\windows\syswow64\mshtml.dll
2009-08-27 05:18:37 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2009-08-27 05:18:37 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-08-27 05:18:00 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2009-08-27 05:17:43 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2009-08-27 05:17:43 164352 ----a-w- c:\windows\syswow64\ieui.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2009-08-27 05:17:42 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2009-08-27 05:17:42 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2009-08-27 05:17:41 11069440 ----a-w- c:\windows\syswow64\ieframe.dll
2009-08-27 05:17:35 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-08-27 04:10:33 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 03:42:29 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2009-08-27 03:42:23 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2009-08-27 03:41:45 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2009-08-14 17:29:27 141312 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 17:29:26 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 16:29:41 17920 ----a-w- c:\windows\syswow64\netevent.dll
2009-08-14 16:29:41 104960 ----a-w- c:\windows\syswow64\netiohlp.dll
2009-08-14 15:13:04 10752 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 15:13:02 21504 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 15:13:01 12800 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 15:12:59 32256 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 15:12:59 23040 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 15:12:58 10240 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 15:12:57 11264 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:16:55 9728 ----a-w- c:\windows\syswow64\TCPSVCS.EXE
2009-08-14 14:16:55 17920 ----a-w- c:\windows\syswow64\ROUTE.EXE
2009-08-14 14:16:52 11264 ----a-w- c:\windows\syswow64\MRINFO.EXE
2009-08-14 14:16:51 27136 ----a-w- c:\windows\syswow64\NETSTAT.EXE
2009-08-14 14:16:50 19968 ----a-w- c:\windows\syswow64\ARP.EXE
2009-08-14 14:16:49 8704 ----a-w- c:\windows\syswow64\HOSTNAME.EXE
2009-08-14 14:16:49 10240 ----a-w- c:\windows\syswow64\finger.exe
2009-03-07 16:40:13 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-03-07 15:17:16 76 --sh--r- c:\windows\CT4CET.bin
2009-03-07 16:00:49 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:47:09.27 ===============
October 29th, 2009, 12:00 PM
dominate20
New Member
Join Date: Oct 2009
Posts: 2

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 3/7/2009 3:50:32 AM
System Uptime: 10/29/2009 6:25:12 AM (0 hours ago)

Motherboard: Dell Inc. | | 0G848F
Processor: Intel(R) Pentium(R) Dual CPU T3400 @ 2.16GHz | Microprocessor | 1000/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 283 GiB total, 212.531 GiB free.
E: is FIXED (NTFS) - 15 GiB total, 5.648 GiB free.
F: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}
Description: ADS Instant HDTV PCI
Device ID: ROOT\MEDIA\0000
Manufacturer: ADS Technologies
Name: ADS Instant HDTV PCI
PNP Device ID: ROOT\MEDIA\0000
Service: Ph3xIB64

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Intel(R) PRO/Wireless 3945ABG Network Connection
Device ID: ROOT\NET\0000
Manufacturer: Intel Corporation
Name: Intel(R) PRO/Wireless 3945ABG Network Connection
PNP Device ID: ROOT\NET\0000
Service: NETw4v64

==== System Restore Points ===================

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11.5
Advanced Audio FX Engine
Apple Software Update
Choice Guard
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Dell Getting Started Guide
Dell Video Chat (remove only)
Dell Webcam Central
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) 6 Update 15
Java(TM) 6 Update 7
Junk Mail filter update
LimeWire 5.1.2
Live! Cam Avatar Creator
McAfee SecurityCenter
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Works
MSN Toolbar
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WildTangent Games
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer

==== End Of File ===========================
October 29th, 2009, 02:27 PM
touch's Avatar
touch
Malware Removal Team
Join Date: Jan 2007
O/S: Windows XP Pro
Posts: 3,595
Download The Avenger by Swandog46 from:here
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Copy all of the text in the below codebox to the clibpboard by highlighting it and then pressing Ctrl+C.

Files to delete:c:\users\nate\appdata\local\temp\b.exe
In the avenger window, click the Paste Script from Clipboard icon, button.
Click the Execute button.
You will be asked Are you sure you want to execute the current script?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
This log file will be located at C:\avenger.txt

Update malwarebyte, run a complete scan and have it to fix what if find.

Please post that log along with C:\avenger.txt
