Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop ups, win32:trojan-gen, win32:adware-gen, win32:rootkit-gen


  • This topic is locked This topic is locked
8 replies to this topic

#1 TheShawn

TheShawn

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 26 January 2009 - 07:27 AM

Hi, im having a problem with popups. When I run Avast it finds files and gets rid of them but it seems that every time i do a scan it picks up something new. here is a list of the files its deleted so far.

A0007433.dll win32:trojan-gen
A0007484.dll win32:rootkit-gen
A0007485.dll win32:adware-gen
geBqQJYp.dll win32:trojan-gen
pmnOHXoL.dll win32:rootkit-gen
trz1.tmp win32:rootkit-gen
tuvvpjgd.dll win32:adware-gen

here is the DDS log

DDS (Ver_09-01-19.01) - NTFSx86
Run by Administrator at 7:09:47.25 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.250 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090125-0] *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {98eb71a2-2952-f3bb-fe24-349aefca88a2}: {2a88acfe-a943-42ef-bb3f-25922a17be89} - c:\windows\system32\sihcet.dll
BHO: {5210c8c5-1bf3-4ba0-8db1-2aa3d9a7081e} - c:\windows\system32\pmnOHXoL.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBqQJYp.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229994217046
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1230309200636&h=9c3cba42cb5fa2ff7bcdf04efe0063fe/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: geBqQJYp - geBqQJYp.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: sihcet.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\geBqQJYp.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnOHXoL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-24 111184]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-24 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-24 155160]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-24 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-24 352920]

=============== Created Last 30 ================

2009-01-26 06:51 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:57 <DIR> --d----- c:\windows\pss
2009-01-24 18:46 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-24 18:45 102,912 a------- c:\windows\system32\sihcet.dll
2009-01-24 18:45 102,912 a------- c:\windows\system32\tisojrtl.dll
2009-01-24 18:43 1,434,079 a--sh--- c:\windows\system32\toctdtts.ini
2009-01-24 18:43 67,584 a------- c:\windows\system32\sttdtcot.dll
2009-01-24 18:42 409,223 a--sh--- c:\windows\system32\LoXHOnmp.ini2
2009-01-24 18:42 409,223 a--sh--- c:\windows\system32\LoXHOnmp.ini
2009-01-23 18:52 5,632 a------- c:\windows\system32\ptpusb.dll
2009-01-23 18:52 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-01-23 18:52 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-23 18:52 159,232 a------- c:\windows\system32\ptpusd.dll
2009-01-23 11:54 <DIR> --d----- c:\windows\SHELLNEW
2009-01-23 11:43 <DIR> --d----- c:\program files\IrfanView
2009-01-20 21:02 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-01-20 21:02 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-01-20 21:02 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-01-20 21:02 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-01-20 21:02 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-01-20 21:02 8,192 a------- c:\windows\system32\kbdkor.dll
2009-01-20 21:02 6,144 a------- c:\windows\system32\kbd101c.dll
2009-01-20 21:02 5,632 a------- c:\windows\system32\kbd103.dll
2009-01-20 21:01 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-01-20 21:01 6,144 a------- c:\windows\system32\kbd101b.dll
2009-01-20 21:01 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-01-20 21:01 6,144 a------- c:\windows\system32\kbd106.dll
2009-01-17 12:54 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-13 10:54 <DIR> --d----- c:\docume~1\admini~1\applic~1\Samsung
2009-01-13 10:00 106,792 a------- c:\windows\system32\drivers\sscdmdm.sys
2009-01-13 10:00 80,552 a------- c:\windows\system32\drivers\sscdbus.sys
2009-01-13 10:00 11,944 a------- c:\windows\system32\drivers\sscdmdfl.sys
2009-01-13 10:00 9,256 a------- c:\windows\system32\drivers\sscdwhnt.sys
2009-01-13 10:00 9,256 a------- c:\windows\system32\drivers\sscdwh.sys
2009-01-13 10:00 9,256 a------- c:\windows\system32\drivers\sscdcmnt.sys
2009-01-13 10:00 9,256 a------- c:\windows\system32\drivers\sscdcm.sys
2009-01-13 09:57 174,592 a------- c:\windows\system32\framedyn.dll
2009-01-13 09:57 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-01-13 09:57 766 a------- c:\windows\system32\Uninstall.ico
2009-01-13 09:56 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-01-13 09:56 <DIR> --d----- c:\program files\Samsung

==================== Find3M ====================

2008-12-26 11:32 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-22 22:29 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-22 11:30 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 22:18 499,712 a------- c:\windows\system32\msvcp71.dll

============= FINISH: 7:10:20.12 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 03 February 2009 - 04:26 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 10 February 2009 - 05:50 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 23 February 2009 - 05:19 PM

reopen as per user request.. post the logs here..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 TheShawn

TheShawn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 24 February 2009 - 09:30 AM

ComboFix 09-02-21.01 - Administrator 2009-02-23 12:26:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.290 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090223-0] *On-access scanning disabled* (Updated)
* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\ADMINI~1\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\LoXHOnmp.ini
c:\windows\system32\LoXHOnmp.ini2
c:\windows\system32\tisojrtl.dll
c:\windows\system32\toctdtts.ini

.
((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-01-26 06:51 . 2009-01-26 06:51 <DIR> d-------- c:\program files\Trend Micro
2009-01-24 18:46 . 2009-01-24 18:46 <DIR> d-------- c:\program files\Alwil Software
2009-01-24 18:46 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-23 18:52 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-01-23 18:52 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-01-23 18:52 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-01-23 18:52 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-01-23 11:57 . 2009-01-23 11:57 <DIR> d-------- c:\program files\Microsoft.NET
2009-01-23 11:54 . 2009-01-23 11:55 <DIR> d-------- c:\windows\SHELLNEW
2009-01-23 11:54 . 2009-01-23 23:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-23 11:53 . 2009-01-23 11:53 <DIR> dr-h----- C:\MSOCache
2009-01-23 11:43 . 2009-01-23 11:43 <DIR> d-------- c:\program files\IrfanView

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 23:42 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-01-24 23:41 --------- d-----w c:\documents and settings\Administrator\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2009-01-17 17:54 --------- d-----w c:\program files\MSXML 4.0
2009-01-13 15:54 --------- d-----w c:\documents and settings\Administrator\Application Data\Samsung
2009-01-13 15:19 --------- d-----w c:\program files\Samsung
2009-01-13 15:00 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-13 14:58 5,632 ----a-w c:\windows\system32\drivers\StarOpen.sys
2009-01-13 14:57 --------- d-----w c:\program files\DIFX
2009-01-13 14:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-30 03:21 --------- d-----w c:\documents and settings\Administrator\Application Data\Move Networks
2008-12-28 07:40 --------- d-----w c:\documents and settings\Administrator\Application Data\Apple Computer
2008-12-27 03:39 --------- d-----w c:\program files\iTunes
2008-12-27 03:39 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-27 03:38 --------- d-----w c:\program files\QuickTime
2008-12-27 03:38 --------- d-----w c:\program files\iPod
2008-12-27 03:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-27 03:38 --------- d-----w c:\program files\Bonjour
2008-12-27 03:38 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-12-27 03:37 --------- d-----w c:\program files\Apple Software Update
2008-12-27 03:37 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2008-12-26 16:32 --------- d-----w c:\program files\Java
2008-12-26 16:30 --------- d-----w c:\program files\LimeWire
2008-12-26 15:56 --------- d-----w c:\program files\TorrentStorm
2008-12-23 18:19 --------- d-----w c:\documents and settings\All Users\Application Data\NOS
2008-12-23 18:18 --------- d-----w c:\program files\NOS
2008-12-23 03:52 --------- d-----w c:\program files\Netflix
2008-12-23 03:44 --------- d-----w c:\program files\Common Files\Adobe AIR
2008-12-23 03:43 --------- d-----w c:\program files\Common Files\Adobe
2008-12-23 02:52 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Search
2008-12-23 02:45 --------- d-----w c:\program files\MSXML 6.0
2008-12-23 02:11 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-23 02:10 --------- d-----w c:\program files\MSBuild
2008-12-23 02:06 --------- d-----w c:\program files\Reference Assemblies
2008-12-23 02:03 --------- d-----w c:\program files\Windows Desktop Search
2008-12-23 02:03 --------- d-----w c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2008-12-23 01:44 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-23 00:38 --------- d-----w c:\program files\Analog Devices
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-26 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-24 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-24 20560]
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5210C8C5-1BF3-4BA0-8DB1-2AA3D9A7081E} - c:\windows\system32\pmnOHXoL.dll
Notify-geBqQJYp - geBqQJYp.dll
MSConfigStartUp-94bb7e9b - c:\windows\system32\sttdtcot.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 12:31:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\searchindexer.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-23 12:37:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 17:36:42

Pre-Run: 53,025,689,600 bytes free
Post-Run: 53,373,812,736 bytes free

143 --- E O F --- 2009-01-24 04:50:37

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:27 AM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229994217046
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre...ows-i586-jc.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5373 bytes

Edited by TheShawn, 24 February 2009 - 09:33 AM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 24 February 2009 - 02:07 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.





Note: BitDefender Online Scan can only be used with Internet Explorer..

Lets do an online scan with BitDefender Online Scanner
  • Click on I Agree
  • Please install the Add-ons if requested
  • Click on Start Scan
  • Let it update its virus definition.. It will then automatically scan all your files and folders..
  • If infections found, it will attempt to disinfect/delete the infection..
  • After the scan finish, click on More Detail >>
  • Go to Detected Problems tab and click on Click here to export the scan report
  • Save the report as result.html on your Desktop. Copy the whole content of result.html and paste it in Notepad
  • Save the result in the Notepad and post the contents here in your next reply


Post these logs in your next reply..

1. Malwarebytes'
2. BitDefender

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 TheShawn

TheShawn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 25 February 2009 - 07:15 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1802
Windows 5.1.2600 Service Pack 3

2/25/2009 6:10:21 PM
mbam-log-2009-02-25 (18-10-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93946
Time elapsed: 37 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\tisojrtl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF093B3B-CE8D-4E8B-B840-DE8F38450C1C}\RP42\A0007716.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF093B3B-CE8D-4E8B-B840-DE8F38450C1C}\RP42\A0007717.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EF093B3B-CE8D-4E8B-B840-DE8F38450C1C}\RP43\A0007730.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


BitDefender Online Scanner

Scan report generated at: Wed, Feb 25, 2009 - 18:51:59

Scan path: C:\;D:\;E:\;

Statistics

Time
00:34:20

Files
124384

Folders
4430

Boot Sectors
0

Archives
1480

Packed Files
5318


Results

Identified Viruses
0

Infected Files
0

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0


Engines Info

Virus Definitions
2684461

Engine build
AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4


Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes


Scanned File
Status

No virus found.

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 25 February 2009 - 08:38 PM

Looks good to me.. Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 TheShawn

TheShawn
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 27 February 2009 - 10:02 AM

Everything is looking good, Thank you very much for your help, it is greatly appreciated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users