Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Spyware, Browswer Hijack, Registry Denial, Setting Changed


  • Please log in to reply
1 reply to this topic

#1 ephedrine

ephedrine

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:41 AM

Posted 18 February 2009 - 03:54 PM

Been trying to remove some spyware and can't get any specifics as to what it is but the problems are of the general malware ilk. Broswer mods, Registry Denial, Automatic Updates are off and can't be turned on, the whole shebang.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 14:48:50.85 on 2009-02-18
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2331 [GMT -6:00]

AV: avast! antivirus 4.8.1229 [VPS 080924-1] *On-access scanning disabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\acs.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ASUS\Drive Xpert\SteelVine.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ASUS\Six Engine\SixEngine.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\VDOTool\TBPanel.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\ZyXEL\M-302\M-302.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\SearchProtocolHost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Free Download Manager] "c:\program files\free download manager\fdm.exe" -autorun
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [Six Engine] "c:\program files\asus\six engine\SixEngine.exe" -r
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [TBPanel] c:\program files\vdotool\TBPanel.exe /A
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Qtoyonuso] rundll32.exe "c:\windows\urutilar.dll",e
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelm~1.lnk - c:\program files\zyxel\m-302\WLACU.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221181671609
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\zn9vbez4.default\
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zn9vbez4.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\zn9vbez4.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: XUL Cache: {4BAD0D31-6FCF-4217-A1BB-A8C752E64DF6} - c:\documents and settings\administrator\local settings\application data\{4BAD0D31-6FCF-4217-A1BB-A8C752E64DF6}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-6-10 150568]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-26 78416]
R2 57xx SteelVine Manager;57xx SteelVine;c:\program files\asus\drive xpert\SteelVine.exe [2008-5-29 1286144]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-26 20560]
R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2008-7-26 8440]
R3 AR5513;ZyXEL M-302 802.11b/g Wireless PCI Adapter Service;c:\windows\system32\drivers\ar5513.sys [2008-10-30 358464]
S1 f90cf685;f90cf685;c:\windows\system32\drivers\f90cf685.sys [2009-2-16 0]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-7-26 147640]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-7-26 250040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-7-26 348344]
S3 cpuz130;cpuz130;\??\c:\docume~1\admini~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admini~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-8-26 36864]

=============== Created Last 30 ================

2009-02-18 14:19 <DIR> --d----- C:\cmdcons
2009-02-18 14:18 161,792 a------- c:\windows\SWREG.exe
2009-02-18 14:18 98,816 a------- c:\windows\sed.exe
2009-02-17 19:10 <DIR> --d----- c:\program files\EA GAMES
2009-02-17 19:10 442,368 a----r-- c:\windows\system32\vp6vfw.dll
2009-02-17 19:07 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-02-17 19:07 <DIR> --d----- c:\program files\MagicDisc
2009-02-17 16:10 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-17 01:57 <DIR> --d----- c:\program files\CCleaner
2009-02-17 01:35 61,440 a------- c:\windows\system32\drivers\tngdxnxr.sys
2009-02-16 14:38 133,632 a------- c:\windows\urutilar.dll
2009-02-16 14:26 0 a------- c:\windows\system32\drivers\f90cf685.sys
2009-02-16 14:26 26,624 a------- C:\xyephkl.exe
2009-02-16 14:26 2 a------- C:\-468917793
2009-02-15 00:50 2,204 a------- c:\windows\csfvdkgb
2009-02-15 00:50 303,104 a------- c:\windows\system32\fccyYoNE.dll.vir
2009-02-14 15:13 0 a------- c:\windows\PowerReg.dat
2009-02-14 14:56 <DIR> --d----- C:\NeverwinterNights
2009-02-02 19:55 <DIR> --d----- c:\program files\Native Instruments
2009-02-01 02:03 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-01-25 15:48 <DIR> --d----- c:\windows\NV16803540.TMP

==================== Find3M ====================

2009-02-17 01:35 4,306 a------- c:\program files\wihixt.txt
2009-02-11 10:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 10:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-09 17:39 717,296 a------- c:\windows\system32\drivers\sptd.sys
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll
2008-11-26 08:55 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-11-25 08:38 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-11-21 15:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:47 129,784 a------- c:\windows\system32\pxafs.dll
2008-11-21 15:47 120,056 a------- c:\windows\system32\pxcpyi64.exe
2008-11-21 15:47 118,520 a------- c:\windows\system32\pxinsi64.exe
2008-11-21 15:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-09-12 01:03 22,328 a------- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2006-06-23 00:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 14:49:09.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:41 PM

Posted 24 February 2009 - 01:12 PM

Hello Ephedrine and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users