Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Infector. EL


  • This topic is locked This topic is locked
13 replies to this topic

#1 Mike.H

Mike.H

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 14 June 2009 - 01:08 PM

HI,

I am having trouble with a virus I have picked up, this is not allowing AVG to remove it and it interupting my browser. Every time I open my browser AVG pops up telling me it has detected a threat, and i remove it to the Virus Vault, but alas it stays here! I have tried a system restore but it failed. This is a tricky one, I hope we can sort it. I was away for a week and it would appear that some downloading has been going on, but I have cleaned this up. Any help in removing this would be appreciated. Here is the DDS log.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Admin at 19:00:59.72 on 14/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1079 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\TOPI.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Admin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\trdcre~1.lnk - c:\program files\toshiba\trdcreminder\TRDCReminder.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\netbat~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\runase~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\safemo~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: NameServer = 85.255.112.23,85.255.112.126
TCP: {5623E399-D976-4EEF-8BDF-0EF85146AA85} = 85.255.112.23,85.255.112.126
TCP: {9A9B7AD5-BCDD-4816-A062-29629679A0C8} = 85.255.112.23,85.255.112.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\y0kkgwk3.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-5-4 20352]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-27 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-27 210216]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-5-5 809296]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-27 24652]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-26 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-5-4 937984]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-12-29 101504]

=============== Created Last 30 ================

2009-06-12 19:47 <DIR> --d----- c:\programdata\acccore
2009-06-12 19:47 <DIR> --d----- c:\progra~2\acccore
2009-06-12 19:45 <DIR> --d----- c:\program files\AIM6
2009-06-01 18:07 <DIR> --d----- c:\program files\Astonsoft
2009-05-29 12:14 <DIR> --d----- c:\program files\Vstplugins
2009-05-23 19:35 <DIR> --d----- c:\program files\CamStudio
2009-05-23 19:35 695,578 a------- c:\windows\system32\unins000.exe
2009-05-23 19:35 65,536 a------- c:\windows\system32\camcodec.dll
2009-05-23 19:35 1,643 a------- c:\windows\system32\unins000.dat
2009-05-23 19:35 1,078 a------- c:\windows\system32\camcodec.ico
2009-05-21 15:56 <DIR> --d----- c:\program files\Unlocker

==================== Find3M ====================

2009-05-02 09:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 09:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 09:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 17:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 17:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 14:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 13:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 13:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 12:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-08 09:32 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-03-17 04:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-17 04:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-17 04:38 24,064 a------- c:\windows\system32\amxread.dll
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-21 12:25 51,200 a------- c:\windows\inf\infpub.dat
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstor.dat
2008-06-12 20:06 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-04 19:41 56 a---h--- c:\programdata\ezsidmv.dat
2008-05-04 19:41 56 a---h--- c:\progra~2\ezsidmv.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-25 10:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 19:02:23.02 ===============



Thank you very much, please get back to me because this is not my laptop, it's my brothers...He won't be happy to say the least, haha!Attached File  Attach.txt   3.92KB   9 downloads

Edited by Mike.H, 14 June 2009 - 01:11 PM.


BC AdBot (Login to Remove)

 


#2 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 17 June 2009 - 01:02 PM

Bump as it has been 72 hours now, thanks :thumbup2:

#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 22 June 2009 - 05:12 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#4 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 22 June 2009 - 06:16 AM

Thanks for the reply. I am still having the problem described in the OP, here is the latest info from DDS.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Admin at 12:07:34.57 on 22/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1130 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Harvy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\trdcre~1.lnk - c:\program files\toshiba\trdcreminder\TRDCReminder.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\netbat~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\runase~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\safemo~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: NameServer = 85.255.112.23,85.255.112.126
TCP: {5623E399-D976-4EEF-8BDF-0EF85146AA85} = 85.255.112.23,85.255.112.126
TCP: {9A9B7AD5-BCDD-4816-A062-29629679A0C8} = 85.255.112.23,85.255.112.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\y0kkgwk3.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-14 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-5-4 20352]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-27 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-27 210216]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-5-5 809296]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-27 24652]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-26 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-5-4 937984]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-12-29 101504]

=============== Created Last 30 ================

2009-06-14 19:16 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-14 19:15 <DIR> --d----- c:\program files\Panda Security
2009-06-12 19:47 <DIR> --d----- c:\programdata\acccore
2009-06-12 19:47 <DIR> --d----- c:\progra~2\acccore
2009-06-12 19:45 <DIR> --d----- c:\program files\AIM6
2009-06-01 18:07 <DIR> --d----- c:\program files\Astonsoft
2009-05-29 12:14 <DIR> --d----- c:\program files\Vstplugins
2009-05-23 19:35 <DIR> --d----- c:\program files\CamStudio
2009-05-23 19:35 695,578 a------- c:\windows\system32\unins000.exe
2009-05-23 19:35 65,536 a------- c:\windows\system32\camcodec.dll
2009-05-23 19:35 1,643 a------- c:\windows\system32\unins000.dat
2009-05-23 19:35 1,078 a------- c:\windows\system32\camcodec.ico

==================== Find3M ====================

2009-05-02 09:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 09:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 09:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 17:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 17:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 14:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 13:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 13:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 12:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-08 09:32 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-21 12:25 51,200 a------- c:\windows\inf\infpub.dat
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstor.dat
2008-06-12 20:06 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-04 19:41 56 a---h--- c:\programdata\ezsidmv.dat
2008-05-04 19:41 56 a---h--- c:\progra~2\ezsidmv.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-25 10:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 12:08:57.41 ===============

Attached Files



#5 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 22 June 2009 - 10:37 AM

Hello my name is Sempai and welcome to Bleeping Computer.

*We apologize for the delay. Forum have been busy.
*I want you to understand that I'm still in training. I will be working with my Coach so there's a possibility to have some delay between post.
*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.
*You must reply within 5 days otherwise this topic will be closed.

Your log will be analyzed and I will instruct you what to do next as soon as possible.


Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#6 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 23 June 2009 - 10:41 AM

Thank you very much for the reply Sempai. I will not make any changes or run any tools at all.

Edited by Mike.H, 23 June 2009 - 10:41 AM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 24 June 2009 - 07:19 AM

Hello Mike.H,

Sorry for the delay.

1. Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.

alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.



2. Please create another DDS log for my analysis after the MBAM scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Please post the MBAM and the new DDS log on your next reply.


Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 24 June 2009 - 11:29 AM

I have installed MBAM but it doesn't let me launch it, even in safe mode. :thumbup2:

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 25 June 2009 - 06:22 AM

Hello Mike,

1. Let's try to rename MBAM and do a scan.

Go to C:>Program Files>Malwarebytes' Anti-Malware>mbam.exe and rename mbam.exe to find.exe

  • Launch Malwarebytes' Anti-Malware by double clicking find.exe or the shortcut of mbam on your desktop.
  • Update Malwarebytes' Anti-Malware
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.


2. Please create another DDS log for my analysis after the MBAM scan.

  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE


With Regards,
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 26 June 2009 - 08:22 AM

Thanks for the reply. I got MBAM to run and updated it manually, and it detected viruses and removed them but I am still being told by AVG that I am infected by trojan.infector.el. here is the MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2283
Windows 6.0.6001 Service Pack 1

26/06/2009 14:04:24
mbam-log-2009-06-26 (14-04-24).txt

Scan type: Quick Scan
Objects scanned: 79553
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5623e399-d976-4eef-8bdf-0ef85146aa85}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9a9b7ad5-bcdd-4816-a062-29629679a0c8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5623e399-d976-4eef-8bdf-0ef85146aa85}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9a9b7ad5-bcdd-4816-a062-29629679a0c8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{5623e399-d976-4eef-8bdf-0ef85146aa85}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{9a9b7ad5-bcdd-4816-a062-29629679a0c8}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.23,85.255.112.126 -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Delete on reboot.

DDS log


DDS (Ver_09-05-14.01) - NTFSx86
Run by Admin at 14:17:35.25 on 26/06/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.1166 [GMT 1:00]

SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
c:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\AIM6\aim6.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Harvy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mURLSearchHooks: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: thechatterbox.cc Toolbar: {00b8e20c-5c71-4c2f-85a5-6ad541500df0} - c:\program files\thechatterbox.cc\tbthec.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [Toshiba Registration] c:\program files\toshiba\registration\ToshibaRegistration.exe
mRun: [jswtrayutil] "c:\program files\jumpstart\jswtrayutil.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\trdcre~1.lnk - c:\program files\toshiba\trdcreminder\TRDCReminder.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\netbat~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\runase~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
StartupFolder: c:\users\admin\appdata\roaming\micros~1\windows\startm~1\programs\startup\pokemo~1\safemo~1.lnk - c:\program files\netbattle supremacy\PokeBattle.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
TCP: NameServer = 85.255.112.23,85.255.112.126
TCP: {5623E399-D976-4EEF-8BDF-0EF85146AA85} = 85.255.112.23,85.255.112.126
TCP: {9A9B7AD5-BCDD-4816-A062-29629679A0C8} = 85.255.112.23,85.255.112.126
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admin\appdata\roaming\mozilla\firefox\profiles\y0kkgwk3.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-6-14 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-27 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-27 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2008-5-4 20352]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-27 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2007-12-25 40960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-8-27 210216]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-5-5 809296]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-2-27 24652]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-2-26 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe [2008-5-4 937984]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\system32\drivers\hmvmdm.sys [2008-12-29 101504]

=============== Created Last 30 ================

2009-06-24 17:16 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 17:16 <DIR> --d----- c:\programdata\Malwarebytes
2009-06-24 17:16 <DIR> --d----- c:\progra~2\Malwarebytes
2009-06-24 17:16 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-24 17:16 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 19:16 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-06-14 19:15 <DIR> --d----- c:\program files\Panda Security
2009-06-12 19:47 <DIR> --d----- c:\programdata\acccore
2009-06-12 19:47 <DIR> --d----- c:\progra~2\acccore
2009-06-12 19:45 <DIR> --d----- c:\program files\AIM6
2009-06-01 18:07 <DIR> --d----- c:\program files\Astonsoft
2009-05-29 12:14 <DIR> --d----- c:\program files\Vstplugins

==================== Find3M ====================

2009-05-23 19:40 1,643 a------- c:\windows\system32\unins000.dat
2009-05-23 19:40 695,578 a------- c:\windows\system32\unins000.exe
2009-05-02 09:53 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 09:53 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 09:53 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 17:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 17:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 14:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 13:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 13:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 12:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-08 09:32 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-21 12:25 51,200 a------- c:\windows\inf\infpub.dat
2009-01-21 12:25 86,016 a------- c:\windows\inf\infstor.dat
2008-06-12 20:06 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-04 19:41 56 a---h--- c:\programdata\ezsidmv.dat
2008-05-04 19:41 56 a---h--- c:\progra~2\ezsidmv.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-10-25 10:03 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-10-25 10:03 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 14:18:52.56 ===============

Attached Files



#11 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 27 June 2009 - 08:25 AM

Hello Mike,

Sorry for the delay, I can see you have Viewpoint Media Player installed.

1. Viewpoint Media Player is a web browser plug-in that enables users to view 3D content and other media.

It is bundled with AOL, AIM, versions of Netscape, certain Adobe products and sometimes not mentioned in the license agreement. Viewpoint is also bundled with Adobe Atmosphere and hardware manufacturers pre-install some of these applications.

Viewpoint Manager is used by various products of Viewpoint Corporation and is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager will access the internet and check for updates periodically. If it detects an update, it will automatically download and install the change. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto-updating for the Viewpoint Manager" -- the player will no longer attempt to check for updates. Although, Viewpoint is not technically malware it is considered to be foistware since it is often installed without a user's knowledge or approval.

If you want to remove it, please follow the following steps:

Go to Start > Run and copy/paste or type: taskmgr

  • Under the Processes tab find the following tasks or processes:
    ViewpointService.exe
    ViewMgr.exe
  • Highlight and click "End Process".
  • Exit Task Manager.
Click on Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab".
  • Scroll down the list and find the service called "Viewpoint Manager Service"
  • When you find the service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Now click "Apply", then "OK" and close any open windows.
Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder


2. We need to download and run ComboFix (by sUBs)

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**:

*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


With regards,
Dex :thumbup2:

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#12 Mike.H

Mike.H
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:07:28 PM

Posted 27 June 2009 - 02:15 PM

Hi Dex, thanks a lot for the support. I chose not to remove that software, but I ran combofix. It would not allow me to open it at first, so I renamed it to fix.exe and it ran. The first time it came up with a message saying rootkit activity detected and rebooted, then said failed? Then I re-ran it but with my internet connection disabled and it ran succesfully and removed all the infections, what a great bit of kit, here is the log:

ComboFix 09-06-26.02 - Harvy 27/06/2009 19:57.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2037.993 [GMT 1:00]
Running from: c:\users\Harvy\Desktop\fix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\MSIVXcqputlvpoxyxuxpnvurlqfcspmlofoww.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXqfnhmykqhvxslpccbyqvseivxnbrboqx.dll
c:\windows\system32\MSIVXyfibbfumobsbmndlcltltviosstxirft.dll
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-05-27 to 2009-06-27 )))))))))))))))))))))))))))))))
.

2009-06-26 12:53 . 2009-06-26 12:53 -------- d-----w- c:\users\Harvy\AppData\Roaming\Malwarebytes
2009-06-24 16:16 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-24 16:16 . 2009-06-24 16:16 -------- d-----w- c:\programdata\Malwarebytes
2009-06-24 16:16 . 2009-06-26 12:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-24 16:16 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-14 18:16 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-06-14 18:15 . 2009-06-14 18:15 -------- d-----w- c:\program files\Panda Security
2009-06-14 17:49 . 2009-06-14 17:49 -------- d-----w- c:\users\Admin\AppData\Local\Mozilla
2009-06-12 20:19 . 2009-06-12 20:19 -------- d-----w- c:\users\Harvy\AppData\Roaming\acccore
2009-06-12 20:19 . 2009-06-12 20:19 -------- d-----w- c:\users\Harvy\AppData\Local\AOL OCP
2009-06-12 18:47 . 2009-06-12 18:47 -------- d-----w- c:\programdata\acccore
2009-06-12 18:45 . 2009-06-12 18:48 -------- d-----w- c:\program files\AIM6
2009-06-01 17:20 . 2009-06-01 17:20 -------- d-----w- c:\users\Harvy\AppData\Roaming\DeepBurner
2009-06-01 17:07 . 2009-06-01 17:07 -------- d-----w- c:\program files\Astonsoft
2009-05-29 11:14 . 2009-05-29 11:14 -------- d-----w- c:\program files\Vstplugins

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-27 18:52 . 2009-03-27 14:03 -------- d-----w- c:\programdata\avg8
2009-06-13 18:35 . 2008-12-29 14:43 -------- d-----w- c:\program files\Vodafone PC Assistant
2009-06-12 18:47 . 2009-02-27 17:06 -------- d-----w- c:\programdata\Viewpoint
2009-06-12 18:46 . 2009-02-27 17:06 -------- d-----w- c:\program files\Common Files\AOL
2009-06-12 17:13 . 2008-12-19 15:53 -------- d-----w- c:\users\Harvy\AppData\Roaming\Sony
2009-05-30 12:25 . 2008-05-04 18:39 -------- d-----w- c:\users\Harvy\AppData\Roaming\Skype
2009-05-30 10:22 . 2008-05-04 18:41 -------- d-----w- c:\users\Harvy\AppData\Roaming\skypePM
2009-05-29 11:13 . 2009-02-17 09:43 -------- d-----w- c:\programdata\Sony
2009-05-28 13:48 . 2008-12-19 15:49 -------- d-----w- c:\program files\Sony
2009-05-26 19:41 . 2008-12-21 14:28 -------- d-----w- c:\program files\Sony Setup
2009-05-23 18:40 . 2009-05-23 18:35 1643 ----a-w- c:\windows\system32\unins000.dat
2009-05-23 18:40 . 2009-05-23 18:35 695578 ----a-w- c:\windows\system32\unins000.exe
2009-05-23 18:35 . 2009-05-23 18:35 -------- d-----w- c:\program files\CamStudio
2009-05-21 15:34 . 2009-04-12 13:56 -------- d-----w- c:\program files\ffdshow
2009-05-21 15:32 . 2009-02-17 13:04 -------- d-----w- c:\program files\Crossfire Server
2009-05-21 14:56 . 2009-05-21 14:56 -------- d-----w- c:\program files\Unlocker
2009-05-21 10:33 . 2009-04-12 11:07 -------- d-----w- c:\program files\Total Video Converter
2009-05-02 08:53 . 2009-03-27 14:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-02 08:53 . 2009-03-27 14:03 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 08:53 . 2009-03-27 14:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-02 08:53 . 2009-03-27 14:03 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-24 16:05 . 2009-06-10 13:21 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-10 13:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-10 13:21 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-10 13:21 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-10 13:21 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-10 13:21 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-04-13 21:17 . 2009-04-13 21:17 0 ----a-w- c:\users\Admin\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-04-12 13:52 . 2008-05-04 12:52 114792 ----a-w- c:\users\Harvy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-12 11:41 . 2009-01-24 10:08 114792 ----a-w- c:\users\Admin\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-08 08:32 . 2009-04-08 08:32 1060864 ----a-w- c:\windows\system32\MFC71.dll
2008-12-28 15:37 . 2008-05-04 13:34 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-28 15:37 . 2008-05-04 13:34 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-28 15:37 . 2008-05-04 13:34 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-28 15:37 . 2008-05-04 13:34 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-28 15:37 . 2008-05-04 13:34 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00b8e20c-5c71-4c2f-85a5-6ad541500df0}]
2008-11-23 23:03 1784856 ----a-w- c:\program files\thechatterbox.cc\tbthec.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-05 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-05 129560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-10-25 413696]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2007-10-31 54608]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-01-25 509816]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-29 4911104]
"NDSTray.exe"="NDSTray.exe" [BU]

c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2007-7-27 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1201809077-2759245389-1958983571-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B2783B11-E952-4E32-9AFC-EDAAFD28E570}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{A1B9B542-AC95-4438-9EDE-DBA737FB274D}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{E17CC7CB-FEBC-4CA4-9174-C8C77454F8B6}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{C5298F61-5C15-40A0-B9D1-08D20B2DE84D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{D7471CD4-EA3B-4F7C-8368-2C2696279594}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{AD11D1EC-0914-452C-AC88-221B6E8B5688}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{BA0591F9-C8F8-45E5-A687-4042E5ABC315}"= UDP:86:BroadCam Web Server
"TCP Query User{F067CDC5-7724-46FC-BAEE-CA2C14D6EA39}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{0C76E998-D659-442A-A38C-FB17083758FC}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{D220A8A5-36AD-450A-85C6-B4CE0063F0AA}c:\\users\\harvy\\desktop\\sppscript4\\mirc.exe"= UDP:c:\users\harvy\desktop\sppscript4\mirc.exe:mirc.exe
"UDP Query User{BB1C1716-DF07-467D-AFD3-C8B111AFEECD}c:\\users\\harvy\\desktop\\sppscript4\\mirc.exe"= TCP:c:\users\harvy\desktop\sppscript4\mirc.exe:mirc.exe
"TCP Query User{39FA38F0-429F-41AC-8668-94DCF13BA756}c:\\halo ce portable edition by am3n\\app\\haloceded.exe"= UDP:c:\halo ce portable edition by am3n\app\haloceded.exe:Halo
"UDP Query User{2E8A719C-EB6A-4A6B-997D-BB9032F0E6C2}c:\\halo ce portable edition by am3n\\app\\haloceded.exe"= TCP:c:\halo ce portable edition by am3n\app\haloceded.exe:Halo
"TCP Query User{46F1A0DD-84E9-4ED3-AC34-53C449AEB993}c:\\program files\\crossfire server\\crossfire32.exe"= UDP:c:\program files\crossfire server\crossfire32.exe:Crossfire server for Windows.
"UDP Query User{ED4C0C55-5450-4F4D-B334-8393FED8C8A6}c:\\program files\\crossfire server\\crossfire32.exe"= TCP:c:\program files\crossfire server\crossfire32.exe:Crossfire server for Windows.
"{DB4DBEA5-527F-4CBE-947C-ABD5590E2F20}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{81341370-E34D-4329-9D84-789FDF2CDFF4}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A66DFD84-EC2F-4570-9273-E155145DBFF6}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{10FC9B15-8840-4664-899A-0B21CB109DFC}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{930A8967-FCF7-4CD4-B165-32B9FD699E62}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{6837392F-3A22-4869-926E-390E8C0F0961}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{DF8A2B96-5828-4192-A4B7-050D9C64A9A7}"= UDP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"{004D6928-0BF1-4222-892B-B527F3E7ADCA}"= TCP:c:\program files\FrostWire\FrostWire.exe:FrostWire
"TCP Query User{FE643F6F-7FBA-4315-8AC8-8F1AD3D28F4F}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{C6519D2B-F03B-484F-9872-941B1AC89E42}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"{636CE830-3605-408B-AEAD-61C6D1F07629}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{A74D9DA1-9970-4A49-9AE1-74E4C966A9A5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{AF0D52D5-2F53-45C7-B843-B959ED388914}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{C0B23833-A2EE-4D2F-AA71-B26BBCADF2E5}"= TCP:c:\program files\AIM6\aim6.exe:AIM

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [14/06/2009 19:16 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [27/03/2009 15:03 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [27/03/2009 15:03 108552]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\System32\drivers\jswpslwf.sys [04/05/2008 13:51 20352]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/03/2009 15:03 298776]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [25/12/2007 14:07 40960]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [27/08/2008 16:27 210216]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [05/05/2008 13:31 809296]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [03/12/2007 17:03 126976]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [27/02/2009 18:06 24652]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [26/02/2008 12:06 7168]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [04/05/2008 13:51 937984]
S3 MobileAdapter;Huawei Mobile Adapter USB Modem and USB Serial;c:\windows\System32\drivers\hmvmdm.sys [29/12/2008 15:45 101504]
.
Contents of the 'Scheduled Tasks' folder

2009-06-27 c:\windows\Tasks\User_Feed_Synchronization-{D113F444-675E-4871-9060-A2D25DEEC672}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-jswtrayutil - c:\program files\Jumpstart\jswtrayutil.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\users\Harvy\AppData\Roaming\Mozilla\Firefox\Profiles\ilofnds0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 20:03
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3256)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
c:\windows\System32\rundll32.exe
c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\TODDSrv.exe
c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\TOSHIBA\ConfigFree\CFSwMgr.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-06-27 20:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-27 19:07

Pre-Run: 25,748,189,184 bytes free
Post-Run: 25,640,042,496 bytes free

255 --- E O F --- 2009-06-14 12:47

How does it look? I am running smoothly now just to let you know. Thanks very much for all your time, I've learned a lot and you're certainly a giver - expect a donation to bleepingcomputer soon as I'm nipping off on holiday very shortly but will show some love for you what you great people do when I get back. Cheers!

#13 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:07:28 AM

Posted 28 June 2009 - 10:11 AM

Hi Mike,

Nice to know that your PC is running well, but there are still few more steps that needs to be done. :thumbup2:

1.Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire and BitTorrent).

These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


2. Enter your control panel and double click on Network Connections.

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.


3. We need to execute a ComboFix script.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

File::
c:\windows\system32\unins000.dat
c:\windows\system32\unins000.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1201809077-2759245389-1958983571-1000]
"EnableNotificationsRef"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


4. Please do an online scan with

Kaspersky WebScanner
Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


With regards,
Dex :)

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:28 PM

Posted 03 July 2009 - 10:22 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users