Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zlob DNSchanger infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 macpinky

macpinky

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 11 December 2008 - 01:59 PM

I have managed to get my machine infected with this malware. I've tried a number of removal programs. They all say they have removed but it is always there when I try to use google through IE or Mozilla Firefox. I get redirected when I try to use google via a website called copy-book.com. I use Kaspersky anti-virus - at the moment I can't do a scan (as the system crashes) & I can't update the anti-virus database.
I've looked into what this trojan is & I understand why it's happened but I am unable to remove it myself.
I would greatly appreciate any help that someone can give to remove this thing from my computer.

Logfile of random's system information tool 1.04 (written by random/random)
Run by sj and kev at 2008-12-11 18:43:15
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 179 GB (77%) free of 231 GB
Total RAM: 1022 MB (25% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:43:40, on 11/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\itunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\spybot\Spybot - Search & Destroy\TeaTimer.exe
D:\camera\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\sj and kev\Desktop\RSIT.exe
D:\malware remover\sj and kev.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NapsterShell] D:\napster\napster.exe /systray
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [tgbhna] "c:\users\sj and kev\appdata\local\tgbhna.exe" tgbhna
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\spybot\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Exif Launcher S.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: ExifLauncher2.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6936 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{4835776B-68C6-444B-9642-00CF948654AE}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\spybot\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2008-11-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-11-28 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-04-10 4431872]
"UpdateP2GShortCut"=C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [2007-07-26 202024]
"AVP"=C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [2007-06-26 218376]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]
"NapsterShell"=D:\napster\napster.exe /systray []
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
"iTunesHelper"=D:\itunes\iTunesHelper.exe [2008-07-30 289064]
"Skytel"=C:\Windows\Skytel.exe [2007-04-04 1822720]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-09-12 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-09-12 8497696]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-09-12 81920]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-10-11 185872]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-11-28 136600]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15 39792]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-01-19 1233920]
"tgbhna"=c:\users\sj and kev\appdata\local\tgbhna.exe tgbhna []
"SpybotSD TeaTimer"=D:\spybot\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Exif Launcher S.lnk - D:\camera\QuickDCF2.exe
ExifLauncher2.lnk - D:\camera\QuickDCF2.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
C:\Windows\system32\klogon.dll [2007-06-26 206088]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=157

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2008-12-11 18:43:15 ----D---- C:\rsit
2008-12-10 20:11:37 ----D---- C:\ProgramData\Spybot - Search & Destroy
2008-12-10 18:45:15 ----D---- C:\ProgramData\Lavasoft
2008-12-05 23:28:57 ----A---- C:\Windows\ntbtlog.txt
2008-12-05 22:46:27 ----D---- C:\Users\sj and kev\AppData\Roaming\Malwarebytes
2008-12-05 22:46:14 ----D---- C:\ProgramData\Malwarebytes
2008-12-05 20:31:03 ----D---- C:\Program Files\VistaCodecPack
2008-12-05 20:25:43 ----D---- C:\ProgramData\VistaCodecs
2008-12-02 06:07:38 ----A---- C:\Windows\system32\xvidvfw.dll
2008-12-02 06:06:30 ----A---- C:\Windows\system32\xvidcore.dll
2008-11-30 21:58:26 ----D---- C:\Program Files\Adobe
2008-11-28 18:19:51 ----A---- C:\Windows\system32\PhotoMetadataHandler.dll
2008-11-28 18:19:50 ----A---- C:\Windows\system32\WindowsCodecsExt.dll
2008-11-28 18:19:50 ----A---- C:\Windows\system32\WindowsCodecs.dll
2008-11-28 18:19:48 ----A---- C:\Windows\system32\msxml3.dll
2008-11-28 18:19:44 ----A---- C:\Windows\system32\PortableDeviceApi.dll
2008-11-28 18:19:42 ----A---- C:\Windows\system32\connect.dll
2008-11-28 18:18:42 ----A---- C:\Windows\system32\msxml6.dll
2008-11-28 18:06:17 ----A---- C:\Windows\system32\javaws.exe
2008-11-28 18:06:17 ----A---- C:\Windows\system32\javaw.exe
2008-11-28 18:06:17 ----A---- C:\Windows\system32\java.exe
2008-11-28 18:06:17 ----A---- C:\Windows\system32\deploytk.dll
2008-11-24 15:32:44 ----A---- C:\Windows\system32\ff_vfw.dll
2008-11-22 21:38:38 ----D---- C:\ProgramData\HP Product Assistant
2008-11-18 16:50:14 ----A---- C:\Windows\GSPCD2033.ini
2008-11-14 16:22:51 ----D---- C:\ProgramData\Drumsite
2008-11-14 13:53:40 ----A---- C:\Windows\system32\wups2.dll
2008-11-14 13:53:40 ----A---- C:\Windows\system32\wucltux.dll
2008-11-14 13:53:40 ----A---- C:\Windows\system32\wuaueng.dll
2008-11-14 13:53:40 ----A---- C:\Windows\system32\wuauclt.exe
2008-11-14 13:53:06 ----A---- C:\Windows\system32\wups.dll
2008-11-14 13:53:06 ----A---- C:\Windows\system32\wudriver.dll
2008-11-14 13:53:06 ----A---- C:\Windows\system32\wuapi.dll
2008-11-14 13:52:53 ----A---- C:\Windows\system32\wuwebv.dll
2008-11-14 13:52:53 ----A---- C:\Windows\system32\wuapp.exe

======List of files/folders modified in the last 1 months======

2008-12-11 18:43:27 ----D---- C:\Windows\Prefetch
2008-12-11 18:43:18 ----D---- C:\Windows\Temp
2008-12-11 18:16:20 ----D---- C:\ProgramData\Kaspersky Lab
2008-12-11 16:50:46 ----D---- C:\Windows\Minidump
2008-12-11 16:50:36 ----D---- C:\Windows
2008-12-10 20:11:37 ----HD---- C:\ProgramData
2008-12-10 18:47:17 ----SHD---- C:\Windows\Installer
2008-12-10 18:47:17 ----HD---- C:\Config.Msi
2008-12-10 18:45:16 ----D---- C:\Windows\system32\drivers
2008-12-10 18:45:16 ----D---- C:\Windows\System32
2008-12-10 18:44:57 ----SHD---- C:\System Volume Information
2008-12-10 18:43:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-12-09 16:27:52 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-09 16:27:51 ----D---- C:\Windows\inf
2008-12-06 15:11:38 ----D---- C:\Windows\system32\catroot2
2008-12-05 22:58:51 ----RD---- C:\Program Files
2008-12-05 21:50:08 ----D---- C:\Users\sj and kev\AppData\Roaming\uTorrent
2008-12-05 20:28:42 ----A---- C:\Windows\system32\regsvr32.exe.log
2008-12-03 19:54:07 ----D---- C:\Windows\winsxs
2008-12-03 19:53:58 ----D---- C:\Program Files\Common Files\microsoft shared
2008-11-30 21:58:36 ----D---- C:\Program Files\Common Files\Adobe
2008-11-30 21:58:34 ----D---- C:\ProgramData\Adobe
2008-11-29 21:22:16 ----D---- C:\ProgramData\DVD Shrink
2008-11-28 18:29:05 ----D---- C:\Windows\system32\catroot
2008-11-28 18:14:42 ----D---- C:\Program Files\Common Files
2008-11-28 18:09:49 ----D---- C:\Program Files\Java
2008-11-27 21:14:10 ----D---- C:\Users\sj and kev\AppData\Roaming\CyberLink
2008-11-18 16:49:10 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-14 21:21:01 ----D---- C:\Program Files\Mozilla Firefox
2008-11-14 14:42:05 ----D---- C:\Windows\rescache
2008-11-14 14:16:17 ----D---- C:\Windows\system32\en-US

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys [2008-05-28 112144]
R1 KLIF;KLIF; C:\Windows\system32\DRIVERS\klif.sys [2008-02-16 127768]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter; C:\Windows\system32\DRIVERS\klim6.sys [2007-04-04 20760]
R2 irda;IrDA Protocol; C:\Windows\system32\DRIVERS\irda.sys [2008-01-19 95744]
R3 GEARAspiWDM;GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-04-10 1764960]
R3 irsir;Microsoft Serial Infrared Driver; C:\Windows\system32\DRIVERS\irsir.sys [2008-01-19 20992]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-09-12 7623968]
R3 RTL8023xp;Realtek 10/100 NIC Family NDIS x86 Driver; C:\Windows\system32\DRIVERS\Rtnicxp.sys [2008-07-22 51200]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S1 ASPI32;ASPI32; C:\Windows\system32\drivers\ASPI32.sys []
S1 Ndisprot.sys;Ndisprot.sys; C:\Windows\system32\drivers\Ndisprot.sys [2008-12-05 29184]
S3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2006-11-02 983552]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2006-11-02 14208]
S3 Dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;MS Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2006-11-02 1781760]
S3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2006-11-02 44544]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-07-22 32000]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; D:\adaware\aawservice.exe [2008-09-10 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 AVP;Kaspersky Anti-Virus 7.0; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe [2007-06-26 218376]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 Irmon;@%SystemRoot%\System32\irmon.dll,-2000; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.04 2008-12-11 18:43:47

======Uninstall list======

-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Apple Mobile Device Support-->MsiExec.exe /I{49C88E44-1B38-4FC6-824E-2BDA3063B0E3}
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DFX 8 for Windows Media Player-->MsiExec.exe /I{AD8D7882-5BC4-43A5-B54C-E96A4995EAD9}
DFX for Windows Media Player-->D:\dfx\uninstall_WMP.exe
DivxToDVD 0.5.2-->"D:\divxtodvd\DivxToDVD\unins000.exe"
DVD Decrypter (Remove Only)-->"D:\dvd decrypter\uninstall.exe"
DVD Shrink 3.2-->"D:\dvd shrink\DVD Shrink\unins000.exe"
Exterminate It!-->D:\exterminate\Exterminate It!\ExterminateIt_Uninst.exe
Favorit-->c:\users\sj and kev\appdata\local\tgbhna.bat
FinePix Studio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}\Setup.exe" -l0x9
FinePixViewer Resource-->C:\Program Files\InstallShield Installation Information\{B44529FF-501E-47CD-A06D-223C161BE058}\setup.exe -runfromtemp -l0x0009 -removeonly
FinePixViewer Ver.5.3-->C:\Program Files\InstallShield Installation Information\{24ED4D80-8294-11D5-96CD-0040266301AD}\Setup.exe -runfromtemp -l0x0009 -removeonly
FreeRIP v3.081-->"D:\freerip\FreeRIP3\unins000.exe"
FUJIFILM FinePixViewer S Ver.2.1-->C:\Program Files\InstallShield Installation Information\{88B32652-CAE0-4909-A463-5840D2689D93}\setup.exe -runfromtemp -l0x0009 -removeonly
Guitar Pro 5.2-->"D:\guitar pro\Guitar Pro 5\unins000.exe"
HijackThis 2.0.2-->"D:\malware remover\HijackThis.exe" /uninstall
HP Customer Participation Program 8.0-->C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet All-In-One Software 8.0-->C:\Program Files\HP\Digital Imaging\{24557DC0-0839-496f-82F9-C4EB72EFE4FA}\setup\hpzscr01.exe -datfile hposcr12.dat
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential-->MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Product Assistant-->MsiExec.exe /I{36FDBE6E-6684-462B-AE98-9A39A1B200CC}
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
Immortal Cities-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{E05B1C38-AE31-4146-8D47-E5E71BEB8D9E} /l1033
iTunes-->MsiExec.exe /I{3DE0053C-FD9A-483E-B7C9-B06E4392206E}
Java™ 6 Update 10-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
Kaspersky Anti-Virus 7.0-->MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0-->MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Magic ISO Maker v5.4 (build 0239)-->D:\PROGRA~1\MagicISO\UNWISE.EXE D:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"D:\malware remover\Malwarebytes' Anti-Malware\unins000.exe"
McDonald's Fairies-->C:\Program Files\McDonaldsFairies\uninstall.exe
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Mozilla Firefox (3.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Peppa Pig - Puddles Of Fun-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5AC35FBC-6E16-46DB-BD56-B4D988D8BC44}\setup.exe" -l0x9 -removeonly
Peppa Pig-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A21BB2C2-B505-44B5-80D4-70233203FB6C}\setup.exe" -l0x9 -removeonly
Power Tab Editor 1.7-->MsiExec.exe /I{6B3CA80E-6AC0-4725-BABF-9B0FEF880CB3}
Power2Go 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Sothink Movie DVD Maker-->"D:\dvd maker\Sothink Movie DVD Maker\unins000.exe"
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"D:\spybot\Spybot - Search & Destroy\unins000.exe"
SubMagic V0.70-->"D:\vob sub\SubMagic\unins000.exe"
Texas Hold'em 3D XP Championship-->"C:\Program Files\Selectsoft\Texas Hold'em 3D XP Championship\uninstall.exe"
Vista Codec Package-->MsiExec.exe /I{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}
VobSub v2.23 (Remove Only)-->"C:\Program Files\Gabest\VobSub\uninstall.exe"
WinAVI Video Converter-->"D:\WINAVI\WinAVI Video Converter\unins000.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WMPTagSupportExtender-->MsiExec.exe /I{7AEBFFF0-15A1-48A9-88F3-06604486C7C9}

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: Kaspersky Anti-Virus (outdated)
AS: Windows Defender
AS: Kaspersky Anti-Virus

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 December 2008 - 01:14 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#3 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 17 December 2008 - 04:00 PM

Hi, thanks for replying.
The problem is the same as before. I know it's a trojan called DNSchanger. It is redirecting my web searches via copy-book.com when I search using google or mozilla firefox. I am unable to update the virus database on Kaspersky, which is worrying. I've tried spy-bot & malwarebytes & although they say they have removed it they haven't. Here is a copy of the DDS:

DDS (Version 1.1.0) - NTFSx86
Run by sj and kev at 20:49:40.76 on 17/12/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1022.238 [GMT 0:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
D:\adaware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\itunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\spybot\Spybot - Search & Destroy\TeaTimer.exe
D:\camera\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\sj and kev\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - d:\spybot\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [tgbhna] "c:\users\sj and kev\appdata\local\tgbhna.exe" tgbhna
uRun: [SpybotSD TeaTimer] d:\spybot\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [UpdateP2GShortCut] c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe "c:\program files\cyberlink\power2go" update "software\cyberlink\power2go\5.0"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NapsterShell] d:\napster\napster.exe /systray
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\itunes\iTunesHelper.exe"
mRun: [Skytel] Skytel.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~2.lnk - d:\camera\QuickDCF2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - d:\camera\QuickDCF2.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - d:\micros~1\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\spybot\spybot~1\SDHelper.dll
TCP: NameServer = 85.255.113.115;85.255.112.70
TCP: {37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905} = 85.255.113.115;85.255.112.70
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1.0\r3hook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sjandk~1\appdata\roaming\mozilla\firefox\profiles\aoj5ivr7.default\
FF - prefs.js: browser.search.selectedEngine - Chambers (UK)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - plugin: d:\itunes\mozilla plugins\npitunes.dll
FF - plugin: d:\real player\netscape6\nppl3260.dll
FF - plugin: d:\real player\netscape6\nprjplug.dll
FF - plugin: d:\real player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2007-4-4 20760]

=============== Created Last 30 ================

2008-12-14 19:19 <DIR> --d----- c:\program files\Trend Micro
2008-12-10 20:11 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2008-12-10 20:11 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2008-12-10 18:45 <DIR> --d----- c:\programdata\Lavasoft
2008-12-05 22:46 <DIR> --d----- c:\users\sjandk~1\appdata\roaming\Malwarebytes
2008-12-05 22:46 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-05 22:46 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-05 22:46 <DIR> --d----- c:\programdata\Malwarebytes
2008-12-05 22:46 <DIR> --d----- c:\progra~2\Malwarebytes
2008-12-05 20:31 <DIR> --d----- c:\program files\VistaCodecPack
2008-12-05 20:25 <DIR> --d----- c:\programdata\VistaCodecs
2008-12-05 20:25 <DIR> --d----- c:\progra~2\VistaCodecs
2008-12-05 19:28 29,184 a------- c:\windows\system32\drivers\Ndisprot.sys
2008-12-02 06:24 73,728 a------- c:\windows\system32\xvid.ax
2008-12-02 06:07 177,664 a------- c:\windows\system32\xvidvfw.dll
2008-12-02 06:06 617,984 a------- c:\windows\system32\xvidcore.dll
2008-11-28 18:19 425,472 a------- c:\windows\system32\PhotoMetadataHandler.dll
2008-11-28 18:19 712,704 a------- c:\windows\system32\WindowsCodecs.dll
2008-11-28 18:19 347,136 a------- c:\windows\system32\WindowsCodecsExt.dll
2008-11-28 18:19 1,191,936 a------- c:\windows\system32\msxml3.dll
2008-11-28 18:19 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2008-11-28 18:19 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-11-28 18:19 1,645,568 a------- c:\windows\system32\connect.dll
2008-11-28 18:18 1,334,272 a------- c:\windows\system32\msxml6.dll
2008-11-28 18:06 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-24 15:32 57,344 a------- c:\windows\system32\ff_vfw.dll
2008-11-22 21:38 <DIR> --d----- c:\programdata\HP Product Assistant
2008-11-18 16:50 0 a------- c:\windows\GSPCD2033.ini

==================== Find3M ====================

2008-12-17 20:34 44,911,136 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-17 16:07 607,688 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-10-22 06:47 995,328 a------- c:\windows\system32\VSFilter.dll
2008-10-19 09:57 130,958 a------- c:\windows\hpoins12.dat
2008-10-16 20:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 20:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-11 01:44 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-06 17:26 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2008-10-02 03:49 827,392 a------- c:\windows\system32\wininet.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-03 18:35 51,200 a------- c:\windows\inf\infpub.dat
2008-09-03 18:35 86,016 a------- c:\windows\inf\infstrng.dat
2008-09-03 18:35 86,016 a------- c:\windows\inf\infstor.dat
2008-08-29 18:13 174 a--sh--- c:\program files\desktop.ini
2008-08-29 16:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-04-24 20:46 1,468 a------- c:\users\sjandk~1\appdata\roaming\wklnhst.dat
2008-02-22 00:50 4,085,904 a------- c:\users\sj and kev\wmfdist.exe
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-07-13 10:29 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:50:47.43 ===============

#4 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 17 December 2008 - 04:40 PM

While both Tea timer and SpyBot are closed:
Download ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer from restoring them upon reactivation).
From here: http://downloads.subratam.org/ResetTeaTimer.bat
Alternative link: http://www.bleepingcomputer.com/files/lonn...setTeaTimer.bat

Right click and save link as
Save it as resetteatimer.bat
Save it to your Desktop

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

Double click on resetteatimer.bat and wait for it to finish

Since it will not be needed again, delete ResetTeaTimer.bat after you run it.
When we are COMPLETELY finished with ALL your fixes, you can turn Tea timer back on again via SpyBot's tools resident page.

Please UPDATE Malwarebytes' Anti-malware and run a scan. Please post your log from that as well as a fresh HijackThis log.
Do you use a router? If so, that may need to be reset once this infection is gone.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#5 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 18 December 2008 - 12:50 PM

Hi Bugbatter,

I have done what you have suggested but the reser teatimer batch file doesn't appear to be doing anything.
When it opens it says it's an unsupported version, press any key to exit & press any key to continue.
When I press any key it seems to close.

#6 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 18 December 2008 - 04:20 PM

Sorry, I forgot that you are running Vista. Let's do it this way:
Go to Msconfig/Startup and UNcheck the entry for TeaTimer.
1. Open Spybot
2. Click Mode -> Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) -> Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Close Spybot.
**After we have confirmed that your system is clean, reverse these steps and re-enable the protection applets for TeaTimer.
Please launch HijackThis and place a checkmark next to the following:
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70

Close all other windows and click "Fix Checked".
Close HijackThis and REBOOT.

Please include the MBAM log that was requested above as well as a fresh HijackThis log. Don't forget to get today's update for MBAM before running the scan.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#7 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 19 December 2008 - 03:48 AM

Hi, i am unable to update MBAM, this trojan is blocking it. It's also stopping Kaspersky from updating.
Yes, I do use a router. It's a SMARTAX MT882.
Here is the MBAM log that you requested:

Malwarebytes' Anti-Malware 1.31
Database version: 1464
Windows 6.0.6001 Service Pack 1

19/12/2008 08:44:59
mbam-log-2008-12-19 (08-44-28).txt

Scan type: Quick Scan
Objects scanned: 46680
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.36 85.255.112.41 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.115;85.255.112.70 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{37aaa1ed-1aef-4c24-84ce-a4a0e3c39905}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.36 85.255.112.41 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{37aaa1ed-1aef-4c24-84ce-a4a0e3c39905}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.115;85.255.112.70 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.36 85.255.112.41 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.115;85.255.112.70 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{37aaa1ed-1aef-4c24-84ce-a4a0e3c39905}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.36 85.255.112.41 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{37aaa1ed-1aef-4c24-84ce-a4a0e3c39905}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.115;85.255.112.70 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


& Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:46:38, on 19/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\itunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
D:\camera\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NapsterShell] D:\napster\napster.exe /systray
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [tgbhna] "c:\users\sj and kev\appdata\local\tgbhna.exe" tgbhna
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Exif Launcher S.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: ExifLauncher2.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{37AAA1ED-1AEF-4C24-84CE-A4A0E3C39905}: NameServer = 85.255.113.115;85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115;85.255.112.70
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6856 bytes

Edited by macpinky, 19 December 2008 - 04:06 AM.


#8 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 19 December 2008 - 08:22 AM

Please visit this webpage for download links, and instructions for running the ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#9 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 19 December 2008 - 01:48 PM

Hi Bugbatter, that was almost as scary as when I did a best man speech earlier this year.
Her's the Combo Fix log.
I think it ran OK.

ComboFix 08-12-18.03 - sj and kev 2008-12-19 18:28:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1022.173 [GMT 0:00]
Running from: c:\users\sj and kev\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\msqpdxmbcbcrrx.sys
c:\windows\system32\msqpdxrfppntlv.dll
c:\windows\system32\msqpdxwqsctmei.dll
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
S:\Autorun.inf
S:\resycled
s:\resycled\boot.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-14 19:19 . 2008-12-14 19:19 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 18:43 . 2008-12-11 18:43 <DIR> d-------- C:\rsit
2008-12-10 20:11 . 2008-12-10 20:42 <DIR> d-------- c:\programdata\Spybot - Search & Destroy
2008-12-10 18:45 . 2008-12-10 18:47 <DIR> d-------- c:\programdata\Lavasoft
2008-12-05 22:46 . 2008-12-05 22:46 <DIR> d-------- c:\users\sj and kev\AppData\Roaming\Malwarebytes
2008-12-05 22:46 . 2008-12-05 22:46 <DIR> d-------- c:\programdata\Malwarebytes
2008-12-05 22:46 . 2008-12-03 19:52 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-05 22:46 . 2008-12-03 19:52 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-05 20:31 . 2008-12-05 20:31 <DIR> d-------- c:\program files\VistaCodecPack
2008-12-05 20:25 . 2008-12-05 20:25 <DIR> d-------- c:\programdata\VistaCodecs
2008-12-05 19:28 . 2008-12-05 19:28 29,184 --a------ c:\windows\System32\drivers\Ndisprot.sys
2008-12-02 06:24 . 2008-12-02 06:24 73,728 --a------ c:\windows\System32\xvid.ax
2008-12-02 06:07 . 2008-12-02 06:07 177,664 --a------ c:\windows\System32\xvidvfw.dll
2008-12-02 06:06 . 2008-12-02 06:06 617,984 --a------ c:\windows\System32\xvidcore.dll
2008-11-28 18:19 . 2008-10-21 05:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-28 18:19 . 2008-09-05 05:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-28 18:19 . 2008-08-28 03:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-28 18:19 . 2008-08-28 03:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-28 18:19 . 2008-08-28 03:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-28 18:19 . 2008-10-22 03:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-28 18:19 . 2008-08-27 01:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-28 18:18 . 2008-09-10 03:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-28 18:06 . 2008-11-28 18:05 410,976 --a------ c:\windows\System32\deploytk.dll
2008-11-24 15:32 . 2008-11-24 15:32 57,344 --a------ c:\windows\System32\ff_vfw.dll
2008-11-22 21:38 . 2008-11-22 21:38 <DIR> d-------- c:\programdata\HP Product Assistant

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 18:32 45,230,112 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-19 18:26 611,696 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-19 14:38 --------- d-----w c:\programdata\Kaspersky Lab
2008-12-10 18:43 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-05 21:50 --------- d-----w c:\users\sj and kev\AppData\Roaming\uTorrent
2008-11-30 21:58 --------- d-----w c:\program files\Common Files\Adobe
2008-11-29 21:22 --------- d-----w c:\programdata\DVD Shrink
2008-11-28 18:09 --------- d-----w c:\program files\Java
2008-11-27 21:14 --------- d-----w c:\users\sj and kev\AppData\Roaming\CyberLink
2008-11-18 16:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-14 16:51 --------- d-----w c:\programdata\Drumsite
2008-10-30 20:28 --------- d-----w c:\program files\Windows Mail
2008-10-25 17:47 --------- d-----w c:\program files\DFX
2008-10-25 08:36 --------- d-----w c:\programdata\DFX
2008-10-25 08:36 --------- d-----w c:\program files\Common Files\DFX
2008-10-22 06:47 995,328 ----a-w c:\windows\System32\VSFilter.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 14:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 13:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-11 01:44 348,160 ----a-w c:\windows\System32\msvcr71.dll
2008-10-06 17:26 43,520 ----a-w c:\windows\System32\CmdLineExt03.dll
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-08-29 18:13 174 --sha-w c:\program files\desktop.ini
2008-04-24 20:46 1,468 ----a-w c:\users\sj and kev\AppData\Roaming\wklnhst.dat
2008-02-22 00:50 4,085,904 ----a-w c:\users\sj and kev\wmfdist.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateP2GShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2007-07-26 202024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2008-07-30 289064]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-11 185872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-28 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-10 c:\windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-04-04 c:\windows\SkyTel.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Exif Launcher S.lnk - d:\camera\QuickDCF2.exe [2008-05-31 303104]
ExifLauncher2.lnk - d:\camera\QuickDCF2.exe [2008-05-31 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{22BEE933-18AD-4016-955B-8E9EA76EB41F}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{5E7D07A5-A6DF-4E2B-8471-56921C6B4B9C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"TCP Query User{A5396924-A384-497C-A77A-AEDC67904428}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CFA98A5E-0831-4325-928B-F737920F8752}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{B8224BDF-D89D-4875-8FA6-463ED60EFE87}"= UDP:d:\utorrent\uTorrent.exe:µTorrent (TCP-In)
"{FF142642-C9C6-4B71-A6CD-101C3DF7151B}"= TCP:d:\utorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{8CF1E92C-2B00-46B8-A1BE-9AF8EC08170B}d:\\bit comet\\bitcomet\\bitcomet.exe"= Disabled:UDP:d:\bit comet\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{E7AC8371-056B-4843-8419-C6428847845B}d:\\bit comet\\bitcomet\\bitcomet.exe"= Disabled:TCP:d:\bit comet\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{E899B720-ADCA-41EC-9CFF-C9DCFAE39F41}d:\\limewire\\limewire.exe"= Disabled:UDP:d:\limewire\limewire.exe:LimeWire
"UDP Query User{076E699C-F4EE-4229-A7FC-C7BAEEF1E9D3}d:\\limewire\\limewire.exe"= Disabled:TCP:d:\limewire\limewire.exe:LimeWire
"{55E1A173-F941-4C71-A639-316F7C791DEE}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11B5A68F-569C-4754-A905-B6549A44721B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CF97D368-38F8-4F7B-85DD-598A647C0077}"= UDP:d:\itunes\iTunes.exe:iTunes
"{29B6ECF1-0159-464D-A826-E1A1E5A44C8C}"= TCP:d:\itunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2007-04-04 20760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\User_Feed_Synchronization-{4835776B-68C6-444B-9642-00CF948654AE}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 07:33]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tgbhna - c:\users\sj and kev\appdata\local\tgbhna.exe
HKLM-Run-NapsterShell - d:\napster\napster.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-19 18:33:44
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)
c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll
c:\windows\system32\WS2_32.dll

- - - - - - - > 'lsass.exe'(668)
c:\progra~1\KASPER~1\KASPER~1.0\r3hook.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\windows\system32\AUTHZ.dll
.
Completion time: 2008-12-19 18:38:47
ComboFix-quarantined-files.txt 2008-12-19 18:38:44

Pre-Run: 187,125,596,160 bytes free
Post-Run: 187,121,963,008 bytes free

170 --- E O F --- 2008-12-04 19:37:16

#10 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 19 December 2008 - 06:22 PM

Please see if you can update and run MBAM yet. If so please post the log along with a fresh HijackThis log.

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#11 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 20 December 2008 - 02:31 AM

Hi Bugbatter, everything is working fine. MBAM updated & Kaspersky updated. I was able to run a full system scan without Kaspersky crashing.
I would like to keep going with these fixes to make sure my system is completely clean.
Thank you for all your help. I really appreciate it.
What should I do with Combo Fix? I think Kaspersky thinks it is a virus.

Here is MBAB log:

Malwarebytes' Anti-Malware 1.31
Database version: 1525
Windows 6.0.6001 Service Pack 1

20/12/2008 07:25:59
mbam-log-2008-12-20 (07-25-59).txt

Scan type: Quick Scan
Objects scanned: 47142
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

& the Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:30:39, on 20/12/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
D:\itunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wbem\unsecapp.exe
D:\camera\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [UpdateP2GShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe "C:\Program Files\CyberLink\Power2Go" update "SOFTWARE\CyberLink\Power2Go\5.0"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - Global Startup: Exif Launcher S.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: ExifLauncher2.lnk = D:\camera\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\spybot\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5221 bytes

Edited by macpinky, 20 December 2008 - 08:35 AM.


#12 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 20 December 2008 - 10:18 AM

That's good news. :thumbsup:

It's time for some housekeeping. Posted Image
Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.

* Click Start then Run
* Now type Combofix /u in the runbox and click OK.
Notice the space between the X and the /u
Posted Image
This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.



Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.

If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

You may have already taken some of the following steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

2. You might consider installing SpywareBlaster
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

3. Please use a firewall and realtime anti-virus. Keep your antivirus software and firewall software up to date.
Zone Labs has a free version of their firewall for home users: Zone Alarm Free Version or Alternate Link

4. You might consider installing Mozilla Firefox

5. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

6. Before using or purchasing any Spyware/Malware protection/removal program, always check these links: Rogue/Suspect Spyware List
Rogue Applications List
It will save you a lot of grief, as well as money if you are thinking of purchasing.
* If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above links work, check here: http://www.spywarewarrior.com/asw-test-guide.htm for an independent comparison of several anti-spyware programs.

7. If you have not already done so, you might want to install CCleaner and run it in each user's profile.
** Uncheck the option to install the Yahoo toolbar.

8. Here are some helpful articles:
“How did I get infected?”
HERE

“I'm not pulling your leg, honest”
by Sandi Hardmeier
HERE

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-


#13 macpinky

macpinky
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:glasgow, scotland
  • Local time:04:20 PM

Posted 20 December 2008 - 02:47 PM

Hi Bugbatter,
Everything is working perfectly. I've downloaded everything that you suggested & read all the info.
I can't thank you enough. I really appreciate the help that you have given me.
Thank you thank you thank you.
Have yourself & everyone at BC a great Xmas.
Thanks again.

#14 Bugbatter

Bugbatter

    Forum Deity


  • Malware Response Team
  • 270 posts
  • OFFLINE
  •  
  • Local time:12:20 PM

Posted 20 December 2008 - 10:18 PM

That's excellent!
Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.

Happy Holidays to you, too! Posted Image

Microsoft MVP - Consumer Security 2006-2016

Microsoft Windows Insider MVP 2016-





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users