Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log


  • This topic is locked This topic is locked
18 replies to this topic

#1 pabloron

pabloron

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 07 March 2009 - 07:22 PM

Hello,

Attached is the HiJackThis log from my infected PC. The dds.scr did not produce any logs after 15 minutes, I assume because of the virus. FYI I ran a Kaspersky full scan and it did not detect the virus, but I am definitely being redirect from FF Google searches, especially when searching HijackThis (would not allow my browser to visit that site at all).

Thanks in advance for your help.

Paul

Attached Files



BC AdBot (Login to Remove)

 


#2 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 March 2009 - 12:02 AM

What use is this forum if nobody responds after five days?!?

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:57 PM

Posted 19 March 2009 - 09:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 20 March 2009 - 12:56 AM

Hello,

I think that I got everything cleared up, but am including these logs just in case you see something that I dont...

Thanks for your help.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Pablo at 22:45:00.79 on Thu 03/19/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2295 [GMT -7:00]

AV: Webroot Spy Sweeper *On-access scanning disabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Program Files\QuickBooks\qbw32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox Version 3\firefox.exe
C:\Documents and Settings\Pablo\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [QuickenScheduledUpdates] "c:\program files\quicken\bagent.exe"
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [AcronisTimounterMonitor] "c:\program files\acronis\trueimagehome\TimounterMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [BlackBerryAutoUpdate] "c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe" /background
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\iaanotif.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab
DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - hxxp://moneycentral.msn.com/cabs/pmupd806.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} - hxxps://timetracking.quickbooks.com/ocx/tts/TimeTrackingV2.ocx
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~2\kasper~1\mzvkbd.dll,c:\progra~1\kasper~2\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~2\kasper~1\adialhk.dll,c:\progra~1\kasper~2\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pablo\applic~1\mozilla\firefox\profiles\713mj4ae.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google.com.my/search?q=
FF - component: c:\documents and settings\pablo\application data\mozilla\firefox\profiles\713mj4ae.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - plugin: c:\program files\adobe\adobe acrobat 7.0\acrobat\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;c:\windows\system32\drivers\SSFS0BB8.sys [2007-8-17 20280]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-2-25 29808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-3-12 226832]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe [2008-11-11 206088]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\quickb~1\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\quickb~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-2-25 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-3-17 1178728]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]
S2 DeltaCopyService;DeltaCopy Server;"c:\program files\rsync_for_windows\deltacopy\dcservce.exe" --> c:\program files\rsync_for_windows\deltacopy\DCServce.exe [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sandra\sisoftware sandra lite 2009\rpcagentsrv.exe --> c:\program files\sandra\sisoftware sandra lite 2009\RpcAgentSrv.exe [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2008-12-18 13656]

=============== Created Last 30 ================

2009-03-17 18:59 <DIR> --d----- c:\program files\msn gaming zone
2009-03-17 15:06 <DIR> --d----- c:\docume~1\pablo\applic~1\Desktopicon
2009-03-17 14:39 23,392 a------- c:\windows\system32\nscompat.tlb
2009-03-17 14:39 16,832 a------- c:\windows\system32\amcompat.tlb
2009-03-17 14:38 <DIR> --d----- c:\windows\system32\CatRoot2
2009-03-17 14:33 0 a------- c:\windows\win.ini
2009-03-17 14:33 0 a------- c:\windows\system.ini
2009-03-17 14:31 <DIR> --d----- C:\!KillBox
2009-03-17 12:31 1,553,784 a------- c:\windows\WRSetup.dll
2009-03-17 12:31 <DIR> --d----- c:\program files\Webroot
2009-03-17 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Webroot
2009-03-17 12:31 164 a------- c:\windows\install.dat
2009-03-17 12:31 <DIR> --d----- c:\docume~1\pablo\applic~1\Webroot
2009-03-17 09:44 <DIR> --d----- c:\program files\ProcessExplorer
2009-03-17 09:26 <DIR> --d----- c:\program files\common files\xing shared
2009-03-17 09:17 2,148 a------- c:\windows\system32\wpa.dbl
2009-03-17 08:41 1,033,728 a------- c:\windows\explorer.bak
2009-03-16 23:43 1,875 a------- c:\windows\system32\%LocalXml%
2009-03-13 17:51 <DIR> --d----- c:\program files\New Folder
2009-03-13 16:11 2,077,424 a------- c:\windows\WindowsXP-KB894391-x86-ENU.exe
2009-03-13 10:43 <DIR> --d----- c:\program files\RealPlayer
2009-03-13 07:53 <DIR> --d----- c:\program files\Microsoft Internet Explorer 7
2009-03-12 22:50 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-03-12 22:50 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-03-12 22:49 75,199,520 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-12 22:49 1,663,008 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-03-12 22:49 590,672 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-12 22:49 7,812 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-03-12 22:49 <DIR> --d----- c:\program files\Kaspersky Lab
2009-03-12 20:28 <DIR> --d----- C:\cmdcons
2009-03-12 20:26 161,792 a------- c:\windows\SWREG.exe
2009-03-12 20:26 98,816 a------- c:\windows\sed.exe
2009-03-12 20:26 <DIR> --d----- C:\ComboFix
2009-03-12 20:25 <DIR> --d----- c:\program files\ComboFix
2009-03-12 18:04 <DIR> --d----- c:\docume~1\pablo\applic~1\Malwarebytes
2009-03-12 18:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-12 18:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-12 18:04 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-12 18:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-12 18:00 <DIR> --d----- c:\program files\Trojan Remover
2009-03-12 16:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-03-09 22:00 574 a------- C:\cleanup.bat
2009-03-09 21:13 61,224 a------- c:\documents and settings\pablo\GoToAssistDownloadHelper.exe
2009-03-09 16:43 <DIR> --d----- c:\program files\FreeDOS
2009-03-09 10:01 <DIR> --d----- c:\program files\AntiVirus
2009-03-09 08:41 <DIR> --d----- c:\program files\Ccleaner
2009-03-09 08:40 <DIR> --d----- c:\program files\AVG
2009-02-25 20:31 <DIR> --d----- c:\windows\system32\XPSViewer
2009-02-25 20:30 14,048 -------- c:\windows\system32\spmsg2.dll
2009-02-25 20:28 <DIR> --d----- c:\program files\VIDEO_CONVERTER_MOV
2009-02-25 15:24 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-18 09:52 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-03-17 09:26 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-12 22:54 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-02-25 15:24 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-25 15:24 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-16 09:21 100,144 a------- c:\documents and settings\pablo\DimdimSetup.exe
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 04:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-30 07:14 16 ----h--- c:\documents and settings\pablo\SyncToy_7e193949-f4ce-4157-8ecd-7ae7dd4227bf.dat
2008-12-29 22:05 49,152 a------- c:\windows\system32\DirSize.dll
2006-08-24 13:27 33,408 -------- c:\documents and settings\pablo\g2mdlhlpx.exe
2006-03-28 17:06 273,008 -------- c:\docume~1\pablo\applic~1\GDIPFONTCACHEV1.DAT
2005-05-13 18:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 12:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 22:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-10-07 20:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 13:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 16:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 23:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 11:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 14:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2008-08-02 08:44 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat

============= FINISH: 22:47:25.82 ===============

Attached Files



#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 20 March 2009 - 10:35 AM

Hello.

Glad you got it sorted out however, I do see some items that needs to be dealt with and things that require your attention.

1) You have 2 AV programs installed.
2) Some windows files were tempted to be replaced or modified.
3) There are some other house-work and things that need to be removed.


2 Anti-virus/Firewall Programs Running Simultaenously Warning

I do not recommend that you have more than one anti virus or firewall product installed and running on your computer at a time. In addition to wasting resources, if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Webroot Spy Sweeper or Kaspersky Internet Security .

Please uninstall them until you are only running one antivirus using Add/Remove Programs.


Run Sfc /Scannow to Repair System Files

Some windows files were trying to be replaced so it would be best if you would run sfc /scannow to restore them if there are any that needs to be restored.

I would suggest you follow this excellent tutorial from Usasma on reparing system files:
http://www.bleepingcomputer.com/forums/t/43051/how-to-use-sfcexe-to-repair-system-files/

Let's run MBAM and see if it can remove anything, if not we will remove the rest manually.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with:
-MBAM log
-New DDS logs
-GMER log
-Any more problems?


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 23 March 2009 - 03:24 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 23 March 2009 - 03:28 PM

Hello,

I am indeed still here, but can't access that computer (I'm in another state for a few days). I left it running mbex, and will send the results the moment that I return (probably tomorrow).

Thanks tons for your help.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 23 March 2009 - 08:03 PM

Hello.

Okay, that's all I wanted to know.

Thanks for the update and I will see you tomorrow hopefully then.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 24 March 2009 - 06:49 PM

I have completed all suggested steps except for scannow (waiting for OS disk from DELL). All other files are attached.

Thank you so much for your assistance.
Paul

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 24 March 2009 - 07:30 PM

Hello :)

I have completed all suggested steps except for scannow (waiting for OS disk from DELL). All other files are attached.

:thumbup2: Let me know once you get the OS disk and perfor the sfc /scannow.

GMER log, MBAM log, DDS log all look fine.

Attach log looks 'okay' because there is some housework we can do and cleanup.

Removing Programs using Add/Remove

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":


J2SE Development Kit 5.0 Update 17
J2SE Runtime Environment 5.0 Update 17
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 5
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1


Additional instructions can be found here if needed.

Please run an online scan for me now.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

Post back with:
-Kaspersky log
-New DDS logs
-How's your computer so far?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 March 2009 - 08:41 PM

Hi - Kaspersky came back clean. The only other weirdness that I can detect presently is that the little Windows Security Alert icon says that Kaspersky is not running when it is. Or sometimes it says that Kaspersky is out of date when it is not. I noticed that the gmer program also showed that the Kaspersky date/ time stamp didnt match. So I was concerned about those things. Otherwise, it seems clean.

Thank you,
Paul

Attached Files



#12 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 March 2009 - 10:58 PM

There's more:

When I reinstalled Kaspersky (had to uninstall to get the online scan to run), a svchost.exe application error came up and said that the "memory could not be written". Then, I tried doing a quick scan with kaspersky (after the online scan) and it got stuck at 1% on firefox.exe/uxtheme.dll.

I dont know if these are significant or not, but thought I would include just in case.

Thanks,
Paul

#13 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 25 March 2009 - 11:23 PM

Then I had to shut down because Kaspersky never got past that firefox dll, and when I started back up there was a generic host data execution prevention error, but kaspersky quick scan ran fine and came back clean. So maybe it is just windows problems, and maybe it is malware??

Edited by pabloron, 25 March 2009 - 11:35 PM.


#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:57 PM

Posted 26 March 2009 - 02:42 PM

Hello.

That was why I recommended running sfc /scannow once you get the XP disk, there seems to be a few modifications before and just to be safe running that command will make sure of it.

The malware that was on your computer seems to be removed now but it may have damaged your computer. Could you give me the EXACT code or message on startup or a screenshot with the message is also okay. I want to make sure that error is not related to the malware so we can move you to another forum to do further diagnosis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 pabloron

pabloron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 27 March 2009 - 02:33 PM

OK finally got the disk from DELL and ran scannow and it didn't change anything at all. I restarted and received the same generic host error data execution prevention messages (see attached).

The second attachment (DEP2.jpg) has a date and time - it's weird because the date and time are from yesterday even though the boxes popped up just now. So I looked in the event viewer log for anything that corresponds to that time or now. The closest from yesterday's time is:

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 3/26/2009
Time: 3:13:32 PM
User: N/A
Computer: SATTVA
Description:
Faulting application , version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 20 30 2e ure 0.
0018: 30 2e 30 2e 30 20 69 6e 0.0.0 in
0020: 20 75 6e 6b 6e 6f 77 6e unknown
0028: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0030: 20 61 74 20 6f 66 66 73 at offs
0038: 65 74 20 30 30 30 30 30 et 00000
0040: 30 30 30 000





And then from today when I restarted, there were two more application error:

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1004
Date: 3/27/2009
Time: 12:19:36 PM
User: N/A
Computer: SATTVA
Description:
Faulting application svchost.exe, version 0.0.0.0, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 73 76 63 ure svc
0018: 68 6f 73 74 2e 65 78 65 host.exe
0020: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0028: 20 69 6e 20 75 6e 6b 6e in unkn
0030: 6f 77 6e 20 30 2e 30 2e own 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 30 30 30 30 000000

Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1001
Date: 3/27/2009
Time: 12:23:50 PM
User: N/A
Computer: SATTVA
Description:
Fault bucket 00536409.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 30 30 35 33 36 34 30 39 00536409
0010: 0d 0a ..




There was also this system error:

Event Type: Error
Event Source: MRxSmb
Event Category: None
Event ID: 8003
Date: 3/27/2009
Time: 12:29:08 PM
User: N/A
Computer: SATTVA
Description:
The master browser has received a server announcement from the computer PETAL that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B7624D50-00E3-4254-A4F. The master browser is stopping or an election is being forced.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 4e 00 ......N.
0008: 00 00 00 00 43 1f 00 c0 ....C..
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Attached Files

  • Attached File  DEP.jpg   20.92KB   2 downloads
  • Attached File  DEP2.jpg   26.86KB   3 downloads





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users