Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

!vimax ads everywhere!


  • Please log in to reply
47 replies to this topic

#1 oceanman720

oceanman720

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 19 January 2009 - 06:25 PM

DDS (Ver_09-01-18.01) - NTFSx86
Run by O'Reilly's at 16:16:56.64 on Mon 01/19/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1830 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\IDT\WDM\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Utilities\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Continuum\Continuum.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\O'Reilly's\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Easy Dock]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\utilities\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\o'reil~1\appdata\roaming\mozilla\firefox\profiles\373xpyn1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com|www.thesamba.com
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-15 97928]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-24 342016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-8-15 231704]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-17 45848]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-01-19 15:12 <DIR> --d----- C:\Temp
2009-01-13 20:34 288,768 a------- c:\windows\system32\drivers\srv.sys
2008-12-24 21:59 107,368 a------- c:\windows\system32\GEARAspi.dll
2008-12-24 21:59 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2008-12-24 21:59 <DIR> --d----- c:\program files\iPod
2008-12-24 21:59 <DIR> --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 21:59 <DIR> --d----- c:\program files\iTunes
2008-12-24 21:59 <DIR> --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 21:58 <DIR> --d----- c:\program files\Bonjour

==================== Find3M ====================

2008-12-24 21:58 51,200 a------- c:\windows\inf\infpub.dat
2008-12-24 21:58 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-24 21:58 86,016 a------- c:\windows\inf\infstor.dat
2008-10-31 20:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 20:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 20:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 20:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 20:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-31 20:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-10-31 18:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-28 23:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-21 20:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 18:22 2,048 a------- c:\windows\system32\tzres.dll
2008-08-09 11:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-02-28 14:30 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-02-28 14:30 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-02-28 14:30 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:17:49.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 30 January 2009 - 08:29 AM

Hello oceanman720

Welcome to BleepingComputer :thumbup2:
========================
If you are still in need of assistance please post a new dds log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 February 2009 - 09:47 AM

here is a new log & zip as per someone's request. still getting vimax ads everwhere.
!!!!!!!!somebody please help me!!!!!!!!

log>


DDS (Ver_09-01-18.01) - NTFSx86
Run by O'Reilly's at 7:39:02.65 on Mon 02/02/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.1912 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\IDT\WDM\STacSV.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Utilities\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\O'Reilly's\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Easy Dock]
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\utilities\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\o'reil~1\appdata\roaming\mozilla\firefox\profiles\373xpyn1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com|www.thesamba.com
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-8-15 325128]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2008-10-24 342016]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 298264]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-17 45848]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

=============== Created Last 30 ================

2009-01-29 22:50 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-19 15:12 <DIR> --d----- C:\Temp
2009-01-13 20:34 288,768 a------- c:\windows\system32\drivers\srv.sys

==================== Find3M ====================

2009-01-29 22:50 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-24 21:58 51,200 a------- c:\windows\inf\infpub.dat
2008-12-24 21:58 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-24 21:58 86,016 a------- c:\windows\inf\infstor.dat
2008-08-09 11:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 19:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-02-28 14:30 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-02-28 14:30 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-02-28 14:30 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 7:39:56.78 ===============

Attached Files



#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 02 February 2009 - 01:33 PM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 February 2009 - 04:45 PM

!!!!!!!!!!!!!!thx kahdah!!!!!!!!!!!!!!!!

here is the Malewarebytes' log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

2/2/2009 2:22:00 PM
mbam-log-2009-02-02 (14-22-00).txt

Scan type: Quick Scan
Objects scanned: 45170
Time elapsed: 3 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f51c212-3e77-47fd-9790-a8b6d1147867}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1f51c212-3e77-47fd-9790-a8b6d1147867}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 February 2009 - 05:01 PM

ads still appearing on yahoo. performing full scan.

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 02 February 2009 - 05:55 PM

Please visit this webpage for download links, and instructions for running Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 02 February 2009 - 06:27 PM

here is the log from the full scan:

four more trojans found!?! will run combofix as well.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 6.0.6001 Service Pack 1

2/2/2009 4:17:31 PM
mbam-log-2009-02-02 (16-17-31).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128343
Time elapsed: 1 hour(s), 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1f51c212-3e77-47fd-9790-a8b6d1147867}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1f51c212-3e77-47fd-9790-a8b6d1147867}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.128 85.255.112.149 1.2.3.4 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 02 February 2009 - 07:40 PM

Ok post the Combofix log please and also do you use a router?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 04 February 2009 - 10:22 AM

do you use a router?


yes. wireless, secured.

will post combofix in a few hours.

#11 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 04 February 2009 - 06:17 PM

had to uninstall AVG to deactivate it.

vimax ads still there !!??!!

combofix log:

ComboFix 09-02-04.01 - O'Reilly's 2009-02-04 15:41:54.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3062.2203 [GMT -7:00]
Running from: c:\users\O'Reilly's\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-02 14:08 . 2009-02-02 14:08 <DIR> d-------- c:\users\O'Reilly's\AppData\Roaming\Malwarebytes
2009-02-02 14:08 . 2009-02-02 14:08 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-02 14:08 . 2009-02-02 14:08 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-02 14:08 . 2009-02-02 14:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-02 14:08 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-02 14:08 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-01-19 15:12 . 2009-01-19 15:50 <DIR> d-------- C:\Temp
2009-01-13 20:34 . 2008-12-15 19:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-06 08:05 . 2009-01-06 08:06 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 22:36 --------- d-----w c:\programdata\avg8
2009-02-04 22:21 --------- d-----w c:\programdata\Google Updater
2009-01-14 20:02 --------- d-----w c:\programdata\Microsoft Help
2009-01-14 20:02 --------- d-----w c:\program files\Windows Mail
2009-01-05 19:47 --------- d-----w c:\programdata\WildTangent
2009-01-05 19:24 --------- d-----w c:\program files\Google
2008-12-25 05:00 --------- d-----w c:\users\O'Reilly's\AppData\Roaming\Apple Computer
2008-12-25 04:59 --------- d-----w c:\programdata\Apple Computer
2008-12-25 04:59 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-25 04:59 --------- d-----w c:\program files\iTunes
2008-12-25 04:59 --------- d-----w c:\program files\iPod
2008-12-25 04:58 --------- d-----w c:\program files\Bonjour
2008-12-25 04:57 --------- d-----w c:\program files\Common Files\Apple
2008-12-18 16:58 --------- d-----w c:\programdata\Apple
2008-12-18 16:58 --------- d-----w c:\program files\Apple Software Update
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2008-01-18 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\utilities\SetPoint\SetPoint.exe [2008-08-17 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^O'Reilly's^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^YPOPs.lnk]
path=c:\users\O'Reilly's\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YPOPs.lnk
backup=c:\windows\pss\YPOPs.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
--a------ 2007-09-13 15:09 638976 c:\program files\Camera Assistant Software for Gateway\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
--a------ 2008-01-20 19:25 125952 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-04 15:26 154392 c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-10-03 16:44 178712 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-04 15:26 138008 c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-04 15:26 133912 c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 04:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2008-01-20 19:23 1008184 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-20 19:25 202240 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-07-27 10:48 405504 c:\windows\sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{08261F47-0AFE-465B-BB77-B8BF62A2FB80}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C4124165-3325-4743-91B2-D24E013C67C5}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{0C8B21E4-4612-46BA-BDE3-75A38250DEA3}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb
"{4E20C65F-EE16-4EDE-8035-6465C93005A6}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{1DBA86CA-E9BC-4B0D-9DD6-828A6A1146EC}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray
"{035D8BD1-1B95-45DA-9B12-C98B608F87E7}"= UDP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{3E33D7FC-7531-48E8-BE7C-F289B6BD78B3}"= TCP:c:\program files\Winamp Remote\bin\OrbIR.exe:OrbIR
"{96CF9859-C957-4D0E-B124-CF91286DCD55}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{1FC82B7F-073E-4B5F-83D7-4D168E1A6E6B}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client
"{C4952A75-804C-4BD6-9079-69BDBAD03311}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{6C7EFBE3-C039-4718-9603-E05D646C88C0}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{88AC9EFF-A30E-448D-8372-DCB37186DC59}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A9503806-F6FF-4F90-86FD-CD1EE155E250}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CEDA61CC-4551-4001-B9DA-205C8552E2DF}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2E8A183E-D67A-4A8A-896B-FF7C569BE982}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6EB11EF9-9D23-470F-9E89-7CC428C57432}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\System32\drivers\LMIRfsDriver.sys [2008-08-17 45848]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\System32\drivers\RTL8187B.sys [2008-10-24 342016]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [2006-11-02 2589184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c23ac178-cef3-11dd-b31f-0003254b7686}]
\shell\AutoRun\command - F:\rcaeasyrip_setup.exe
\shell\install\command - F:\rcaeasyrip_setup.exe
\shell\usermanualEnglish\command - F:\rcaeasyrip_setup.exe /pdf_English
\shell\usermanualFrench\command - F:\rcaeasyrip_setup.exe /pdf_French
\shell\usermanualSpanish\command - F:\rcaeasyrip_setup.exe /pdf_Spanish
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Easy Dock - (no file)
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
MSConfigStartUp-msnmsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-NapsterShell - c:\program files\Napster\napster.exe
MSConfigStartUp-Orb - c:\program files\Winamp Remote\bin\OrbTray.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=ODT&Br=GTW&Loc=ENG_US&Sys=PTB&M=T-6321
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\O'Reilly's\AppData\Roaming\Mozilla\Firefox\Profiles\373xpyn1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com|www.thesamba.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 15:43:23
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\O'REIL~1\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-02-04 15:44:41
ComboFix-quarantined-files.txt 2009-02-04 22:44:39

Pre-Run: 87,426,940,928 bytes free
Post-Run: 87,511,609,344 bytes free

165 --- E O F --- 2009-02-03 01:28:17

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 05 February 2009 - 08:34 AM

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==============================================
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 05 February 2009 - 04:11 PM

Kapernsky will not update:

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Failed to connect to update source]

#14 oceanman720

oceanman720
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:02:26 PM

Posted 05 February 2009 - 08:59 PM

here is what AVG (all the sudden) thinks is going on...

"Found Tracking cookie.Atdmt";"C:\Users\O'Reilly's\AppData\Roaming\Mozilla\Firefox\Profiles\373xpyn1.default\cookies.sqlite";"Potentially dangerous object";"2/5/2009, 6:48:22 PM";"File";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Found Tracking cookie.Atdmt";"C:\Users\O'Reilly's\AppData\Roaming\Mozilla\Firefox\Profiles\373xpyn1.default\cookies.sqlite";"Healed";"2/5/2009, 6:29:04 PM";"File";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Found Tracking cookie.Atdmt";"C:\Users\O'Reilly's\AppData\Roaming\Mozilla\Firefox\Profiles\373xpyn1.default\cookies.sqlite";"Potentially dangerous object";"2/5/2009, 6:10:45 PM";"File";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Found Tracking cookie.Advertising";"C:\Users\O'Reilly's\AppData\Roaming\Mozilla\Firefox\Profiles\373xpyn1.default\cookies.sqlite";"Healed";"2/5/2009, 1:40:30 PM";"File";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse BackDoor.SmallX.VX";"C:\Users\O'Reilly's\AppData\Local\Temp\1D30.tmp\b2e.dll";"Infected";"2/4/2009, 3:12:32 PM";"File";"C:\32788R22FWJFW\Prep.com"
"Trojan horse BackDoor.SmallX.VX";"C:\Users\O'Reilly's\AppData\Local\Temp\CDDD.tmp\b2e.dll";"Infected";"2/4/2009, 3:04:32 PM";"File";"C:\32788R22FWJFW\Prep.com"
"Trojan horse BackDoor.SmallX.VX";"C:\Users\O'Reilly's\AppData\Local\Temp\725.tmp\b2e.dll";"Infected";"2/4/2009, 3:02:35 PM";"File";"C:\32788R22FWJFW\Prep.com"
"Trojan horse BackDoor.SmallX.VX";"C:\Users\O'Reilly's\AppData\Local\Temp\89AD.tmp\b2e.dll";"Infected";"2/4/2009, 2:58:48 PM";"File";"C:\32788R22FWJFW\Prep.com"

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:26 PM

Posted 06 February 2009 - 07:16 AM

Those are related to Combofix and are false positives.

Try this scanner instead.

Please go HERE to run Panda's ActiveScan 2.0
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the yellow bar to install the active x control.
  • Then click Install.
  • It will begin to download and scan.
  • When the scan completes, click on the Export now button then save the file to your desktop.
  • Close Active scan 2.0

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users