Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something getting random pop-ups.


  • Please log in to reply
1 reply to this topic

#1 Blinx

Blinx

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 06 January 2009 - 06:57 PM

I did a scan in safe mode with super anti spyware and mcafee I also followed this guide: http://www.bleepingcomputer.com/forums/t/98811/how-to-remove-ultimate-defender-removal-instructions/
and still infected. Also every time I open anything on my desktop it instantly open my browser to some random site and "My Documents" folder likes to open up for no reason too.


DDS (Version 1.1.0) - FAT32x86
Run by Rafael at 18:36:29.51 on Tue 01/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1094 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

I:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\system32\userinit.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\ehome\ehtray.exe
I:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
I:\Program Files\Ideazon\Reaper Edge\hid.exe
I:\WINDOWS\stsystra.exe
I:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
I:\Program Files\AT&T\Internet Security Wizard\ISW.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\WINDOWS\system32\RUNDLL32.EXE
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\frmwrk32.exe
I:\program files\steam\steam.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\eHome\ehRecvr.exe
I:\WINDOWS\eHome\ehSched.exe
I:\Program Files\Xfire\xfire.exe
I:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\Motive\McciCMService.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\PnkBstrA.exe
I:\WINDOWS\system32\PnkBstrB.exe
svchost.exe
I:\WINDOWS\system32\svchost.exe -k imgsvc
I:\Program Files\Viewpoint\Common\ViewpointService.exe
I:\WINDOWS\system32\ntdll64.exe
I:\Program Files\Ideazon\Reaper Edge\Tray.exe
I:\WINDOWS\system32\dllhost.exe
I:\WINDOWS\eHome\ehmsas.exe
I:\PROGRA~1\MOZILL~1\FIREFOX.EXE
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\ntdll64.exe
I:\WINDOWS\system32\ntdll64.exe
I:\WINDOWS\system32\ntdll64.exe
I:\Program Files\Ventrilo\Ventrilo.exe
I:\WINDOWS\system32\ntdll64.exe
I:\WINDOWS\system32\ntdll64.exe
i:\PROGRA~1\mcafee.com\agent\mctskshd.exe
i:\program files\mcafee.com\agent\mcdetect.exe
I:\PROGRA~1\McAfee.com\MPS\Mscifapp.exe
I:\Documents and Settings\Rafael\Desktop\dds.scr
I:\Documents and Settings\Rafael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: McBrwHelper Class: {227b8aa8-daf2-4892-bd1d-73f568bcb24e} - i:\program files\mcafee.com\mps\mcbrhlpr.dll
BHO: McAfee Privacy Service Popup Blocker: {3ec8255f-e043-4cae-8b3b-b191550c2a22} - i:\program files\mcafee.com\mps\popupkiller.dll
BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - i:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - i:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - i:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - i:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - i:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
uRun: [Steam] "i:\program files\steam\steam.exe" -silent
uRun: []
uRun: [RGSC] i:\program files\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
mRun: [ehTray] i:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE i:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [IAAnotif] i:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Gaming Mouse] "i:\program files\ideazon\reaper edge\Tray.exe"
mRun: [Gaming Mouse Hid] "i:\program files\ideazon\reaper edge\hid.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [EPSON Stylus CX3800 Series] i:\windows\system32\spool\drivers\w32x86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
mRun: [ISW.exe] "i:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [SunJavaUpdateSched] "i:\program files\java\jre6\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE i:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Olenebaguwimu] rundll32.exe "i:\windows\Tsoyagov.dll",e
mRun: [Ypegawi] rundll32.exe "i:\windows\ubidiruv.dll",e
mRun: [Framework Windows] frmwrk32.exe
mRun: [QuickTime Task] "i:\program files\quicktime\QTTask.exe" -atboottime
mRun: [VSOCheckTask] "i:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [VirusScan Online] i:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [OASClnt] i:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] i:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] i:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [CleanUp] i:\progra~1\mcafee.com\shared\mcappins.exe /v=3 /cleanup
mRun: [MPFExe] i:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [MSKAGENTEXE] i:\progra~1\mcafee\spamki~1\MSKAgent.exe
mRun: [MSKDetectorExe] i:\program files\mcafee\spamkiller\MSKDetct.exe /install
mRun: [MPSExe] i:\progra~1\mcafee.com\mps\mscifapp.exe /embedding
mRun: [McRegWiz] i:\progra~1\mcafee.com\agent\mcregwiz.exe /autorun
mRun: [McafWelcome] i:\progra~1\mcafee.com\agent\mcwelcom.exe
mRunOnce: [MPFService] i:\progra~1\mcafee.com\person~1\MpfService.exe -i
mRunOnce: [MSKSrvr.exe] i:\progra~1\mcafee\spamki~1\MSKSrvr.exe /regserver
StartupFolder: i:\docume~1\rafael\startm~1\programs\startup\adobeg~1.lnk - i:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: i:\docume~1\rafael\startm~1\programs\startup\xfire.lnk - i:\program files\xfire\xfire.exe
StartupFolder: i:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - i:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AIM Search - i:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: &Windows Live Search - i:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922}
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - i:\program files\mcafee\spamkiller\mcapfbho.dll
LSP: i:\windows\system32\mclsp.dll
AppInit_DLLs: hsinlr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 i:\windows\system32\opnmjigD

================= FIREFOX ===================

FF - ProfilePath - i:\documents and settings\rafael\application data\mozilla\firefox\profiles\yrd5b7fq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: i:\documents and settings\rafael\application data\mozilla\firefox\profiles\yrd5b7fq.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: i:\program files\mozilla firefox\plugins\npkimi.dll
FF - HiddenExtension: XUL Cache: {ADEA2801-C019-410D-B728-81FDE52E9522} - i:\documents and settings\rafael\local settings\application data\{ADEA2801-C019-410D-B728-81FDE52E9522}
FF - HiddenExtension: XUL Cache: {260A0153-103A-4E88-B161-2EF3910D3424} - i:\documents and settings\aris\local settings\application data\{260a0153-103a-4e88-b161-2ef3910d3424}\

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R3 GamingMsFltr;Ideazon Reaper Edge;i:\windows\system32\drivers\gamingms.sys [2008-6-24 19712]
R4 McDetect.exe;McAfee WSC Integration;i:\program files\mcafee.com\agent\Mcdetect.exe [2009-1-6 126976]
R4 McrdSvc;Media Center Extender Service;i:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R4 McTskshd.exe;McAfee Task Scheduler;i:\progra~1\mcafee.com\agent\mctskshd.exe [2009-1-6 122368]
R4 Viewpoint Manager Service;Viewpoint Manager Service;i:\program files\viewpoint\common\ViewpointService.exe [2008-7-4 24652]
S3 Alpham1;Ideazon Merc USB Human Interface Device;i:\windows\system32\drivers\Alpham1.sys [2007-7-23 42624]
S3 Alpham2;Ideazon Merc MM USB Human Interface Device;i:\windows\system32\drivers\Alpham2.sys [2007-3-20 18432]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;i:\windows\system32\drivers\CamSpaceBus.sys [2008-6-10 14848]
S3 CamSpaceJoy;CamSpace Virtual Joystick device driver;i:\windows\system32\drivers\CamSpaceJoy.sys [2008-6-10 30464]
S3 cusbohcn;cusbohcn;\??\i:\docume~1\rafael\locals~1\temp\cusbohcn.sys --> i:\docume~1\rafael\locals~1\temp\cusbohcn.sys [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;i:\progra~1\mcafee.com\agent\mcupdmgr.exe [2009-1-6 245760]
S3 NaiAvFilter1;NaiAvFilter1;i:\windows\system32\drivers\naiavf5x.sys [2009-1-6 114464]
S3 NPF;NetGroup Packet Filter Driver;i:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S4 McShield;McAfee.com McShield;i:\progra~1\mcafee.com\vso\mcshield.exe [2009-1-6 221184]

=============== Created Last 30 ================

2009-01-06 18:34 --d----- i:\windows\system32\mclsphlr
2009-01-06 18:33 80,640 a------- i:\windows\system32\drivers\MpFirewall.sys
2009-01-06 18:33 9,216 a------- i:\windows\system32\MpfApi.dll
2009-01-06 18:32 114,464 a------- i:\windows\system32\drivers\naiavf5x.sys
2009-01-06 18:30 288,320 a----r-- i:\windows\system32\mcgdmgr.dll
2009-01-06 18:30 349,760 a----r-- i:\windows\system32\mcinsctl.dll
2009-01-06 15:56 28,544 a------- i:\windows\system32\drivers\pavboot.sys
2009-01-06 15:56 --d----- i:\program files\Panda Security
2009-01-06 15:37 2,328 a------- i:\windows\system32\tmp.reg
2009-01-06 15:31 754 a------- i:\windows\WORDPAD.INI
2009-01-06 14:23 4,785 a------- i:\windows\system32\warning.gif
2009-01-06 14:23 1,347 a------- i:\windows\system32\ahtn.htm
2009-01-06 14:23 111,616 a------- i:\windows\system32\ntdll64.exe
2009-01-06 02:23 552 a------- i:\windows\system32\d3d8caps.dat
2009-01-06 02:12 0 a------- i:\windows\system32\drivers\senekabrbwugru.sys
2009-01-06 01:50 502 a------- i:\windows\system32\win32hlp.cnf
2009-01-06 01:27 111,616 ac------ i:\windows\system32\dllcache\userinit.exe
2009-01-06 01:17 --d----- i:\program files\SUPERAntiSpyware
2009-01-06 01:17 --d----- i:\documents and settings\rafael\application data\SUPERAntiSpyware.com
2009-01-06 00:56 1 a------- i:\windows\system32\uniq.tll
2009-01-06 00:56 24,576 a------- i:\windows\system32\frmwrk32.exe
2009-01-06 00:56 24,576 a------- i:\windows\system32\pcload.exe
2009-01-05 22:54 134,656 a------- i:\windows\ubidiruv.dll
2009-01-05 22:35 137,216 a------- i:\windows\ewepabus.dll
2009-01-05 22:23 40,448 a------- i:\windows\Tsoyagov.dll
2009-01-05 22:15 1,306,349 ---sh--- i:\windows\system32\dketrxks.ini
2009-01-05 22:15 89,600 a------- i:\windows\system32\skxrtekd.dll
2009-01-05 22:13 696,357 a--sh--- i:\windows\system32\Dgijmnpo.ini2
2009-01-05 22:13 696,357 a--sh--- i:\windows\system32\Dgijmnpo.ini
2009-01-05 15:17 --d----- i:\program files\OpenAL
2009-01-04 14:44 --d----- i:\program files\Guild Wars
2009-01-04 04:25 1,324 a------- i:\windows\system32\d3d9caps.dat
2009-01-03 01:54 23,248 a------- I:\Bh0CcnyQKhgjwj45Aqcc4gFAo1_400.jpg
2008-12-31 01:34 --d----- i:\windows\NV2936528.TMP
2008-12-31 01:31 --d----- i:\windows\NV37601924.TMP
2008-12-30 02:03 1,700,352 a------- i:\windows\system32\gdiplus.dll
2008-12-30 02:03 1,060,864 a------- i:\windows\system32\mfc71.dll
2008-12-29 20:30 --d----- i:\program files\Microsoft Games for Windows - LIVE
2008-12-29 19:52 --d----- i:\windows\system32\XPSViewer
2008-12-29 19:51 14,048 -------- i:\windows\system32\spmsg2.dll
2008-12-29 19:49 --d----- i:\program files\Rockstar Games
2008-12-27 19:29 --d----- i:\program files\SystemRequirementsLab
2008-12-21 17:14 0 a------- I:\LHT2C7.tmp
2008-12-21 15:57 --d----- i:\windows\system32\cache329
2008-12-21 15:57 --d----- i:\windows\system32\AdCache
2008-12-20 20:42 --d----- i:\program files\Runes of Magic
2008-12-19 10:02 --d----- i:\program files\World of Warcraft Public Test
2008-12-18 16:27 0 a------- I:\LHT17D.tmp
2008-12-18 11:11 --d----- i:\documents and settings\rafael\application data\dyyno-vlc
2008-12-18 11:09 --d----- i:\program files\Dyyno
2008-12-17 18:58 0 a------- I:\LHTC.tmp
2008-12-11 15:37 42,320 a------- i:\windows\system32\xfcodec.dll

==================== Find3M ====================

2009-01-06 01:27 111,616 a------- i:\windows\system32\userinit.exe
2008-12-29 00:50 137,688 a------- i:\windows\system32\drivers\PnkBstrK.sys
2008-12-29 00:50 202,040 a------- i:\windows\system32\PnkBstrB.exe
2008-12-02 10:13 453,152 a------- i:\windows\system32\NVUNINST.EXE
2008-11-10 05:43 410,984 a------- i:\windows\system32\deploytk.dll
2008-10-29 11:42 22,328 a------- i:\documents and settings\rafael\application data\PnkBstrK.sys
2008-10-29 11:42 66,872 a------- i:\windows\system32\PnkBstrA.exe
2008-10-29 11:42 682,280 a------- i:\windows\system32\pbsvc.exe
2008-10-28 17:41 14,303,392 a------- i:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- i:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- i:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- i:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- i:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- i:\windows\system32\XAPOFX1_2.dll
2008-10-23 07:36 286,720 a------- i:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- i:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- i:\windows\system32\muweb.dll
2008-10-15 20:00 666,112 a------- i:\windows\system32\wininet.dll
2008-10-13 09:56 70,936 a------- i:\windows\system32\PhysXLoader.dll
2008-10-10 04:52 4,379,984 a------- i:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- i:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- i:\windows\system32\d3dx10_40.dll
2008-09-23 14:55 53,934 a------- i:\program files\INSTALL.LOG

============= FINISH: 18:37:10.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:23 PM

Posted 07 January 2009 - 04:08 AM

Hello Blinx and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users