Jump to content

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible Malware Infection *Pictures Inside*

  • This topic is locked This topic is locked
2 replies to this topic

#1 shigeru


  • Members
  • 1 posts
  • Local time:01:43 PM

Posted 16 July 2009 - 03:19 AM

A friend dropped off his PC at my house today. Telling me that he thinks its contracted some malware/adware/spyware, as it began to behave strangley soon after he mistakenly clicked on a possibly malicious ad.

Long story short (as his dexcriptions were vauge and i was not able to recreate what he experienced with the laptop):

This is what I know so far:

At one point he had accidentally installed the rouge anti-spyware program called MalwareRemoverBot. I know this because i found the .exe installer for the software on his dektop. I did not find the program under "Add/Remove Programs" but i deleted the exe installer.

The laptop has been infected to where regedit was disabled, user rights and privilages seem to have been lowered ESPECIALLY when attempting to run HiJack This or Spybot Search and Destroy. As shown here:
Posted Image

The laptop definitely has some startup objects that are malicious, though the user rights have also be lowered to where i cannot edit and remove those startup objects via MSCONFIG.

The laptop seems to have more than one infection, as when i ran AVG Free 8.5 (after quickly installing it and running it) it showed me the following results:
Posted Image

Here is a screenshot of the results from his preinstalled AntiVirus Suite (McCafee):
Posted Image

This final Screenshot I recently took from the Quarantine screen of "MalwareBytes Anti-Malwar"e After running a full thurough scan:
Posted Image
As you can see, that screenshot is a prime example of the sheer amount of infections this laptop was carrying. I hope that it helps in determinig a course of action to completely clean the rest that may be remaining in this machine.

A picture says a thousand words, i presume those are more helpful than me trying to type out what infectiona are specifically on this machine.

Now , as for the DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Wendy at 3:32:59.00 on Thu 07/16/2009
Internet Explorer: 7.0.5730.11

============== Running Processes ===============

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Page =
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [reader_s] c:\documents and settings\wendy\reader_s.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [2Wire Wireless Manager] "c:\program files\2wire wireless manager\2Wire.exe" -a
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [Windows System Recover!] c:\windows\temp\debug.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2009-07-16 01:03 32,768 a------- C:\dbckb.exe
2009-07-16 01:03 15,000 a------- c:\windows\system32\ghaf8jkdfd.dll
2009-07-15 23:30 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-15 23:27 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-15 23:27 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-15 23:26 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-15 23:26 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-15 23:26 <DIR> --d----- c:\program files\AVG
2009-07-15 23:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-15 23:19 <DIR> --d----- c:\program files\Trend Micro
2009-07-15 23:12 <DIR> --d----- c:\program files\CCleaner
2009-07-15 20:31 <DIR> --d----- c:\windows\pss
2009-07-15 20:24 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-15 20:24 14,592 a------- c:\windows\system32\dllcache\kbdhid.sys
2009-07-14 18:31 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-14 18:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-14 12:59 207,403 a------- C:\errigh.exe
2009-07-14 12:58 2 a------- c:\windows\0535251103110107106.loi
2009-06-21 05:50 <DIR> --d----- c:\program files\iPod
2009-06-21 05:50 <DIR> --d----- c:\program files\iTunes
2009-06-21 05:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-21 05:46 <DIR> --d----- c:\program files\Bonjour
2009-06-21 05:40 2,060,288 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-07-14 08:20 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-07-14 08:20 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 02:05 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 02:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-27 00:45 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-24 22:27 636,088 -------- c:\windows\system32\dllcache\iexplore.exe
2009-04-24 22:26 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 05:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2008-04-21 14:54 5,873 a------- c:\program files\install.log
2006-07-23 14:12 50,912 a------- c:\program files\MC

============= FINISH: 3:33:33.01 ===============

Please help me, a moderately computer savvy individual, to clear up this friend's machine from any remaining infections that are hindering performance, privacy and acessibility.

Thank you for reading, I await your reply.

If you request any more information or for meto run any more programs and provide logs to help aide in this process, PLEASE DO SO, I am glad to ablige, just as I appreciate the free help I am receiving here from you individuals. :thumbup2:

Attached Files

Edited by shigeru, 16 July 2009 - 03:31 AM.

BC AdBot (Login to Remove)


#2 sempai



  • Malware Response Team
  • 5,288 posts
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:02:43 AM

Posted 26 July 2009 - 09:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE


You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 33,604 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:43 PM

Posted 31 July 2009 - 07:40 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please send me a Private message to reopen this topic within the next 5 days. Beyond that point, please start a new topic.

Orange Blossom :thumbup2:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users