Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/Small.24576.BQ and Exploit.Bytverify.5


  • Please log in to reply
1 reply to this topic

#1 steve058

steve058

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 21 March 2009 - 01:04 PM

Hello,
AVSCAN removed Small.24576.BQ and Exploit.Bytverify.5, but windows explorer is behaving oddly. Its sluggish, and the icons on the desktop seem to
refresh occasionally.
Previously I had to re-install the msiexec when I had trouble installing and removing software, and found an randomly named registry key in the 'run' folder that I had to delete from safe mode.

Thanks for your help!

Here is the DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by steve at 21:47:36.37 on Fri 03/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
AV: AntiVir Desktop *On-access scanning enabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [googletalk] "c:\program files\google\google talk\googletalk.exe" /autostart
uRun: [Srts] "c:\windows\system32\curity~1\smss.exe" -vt ndrv
uRun: [\\Chickadee\EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiaia.exe /p42 "\\chickadee\EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /M "Stylus Photo R220" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [gStart] c:\garmin\gStart.exe
uRun: [Radio365Agent] c:\progra~1\live365\radio365\Radio365TrayAgent.exe
uRun: [Google Update] "c:\documents and settings\steve\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [atwtusb] atwtusb.exe beta
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\steve\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkvmon~1.lnk - c:\program files\nikon\nkview6\NkvMon.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} - hxxps://www.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: urqOGASl - urqOGASl.dll
Notify: vtUnlMdB - vtUnlMdB.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: {68a91f35-47db-44d7-9d28-e67984e6dd79} - c:\windows\system32\vtUnlMdB.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {C99C6BD3-FC58-4545-889A-32FCECD32DF0} - c:\documents and settings\steve\local settings\application data\{C99C6BD3-FC58-4545-889A-32FCECD32DF0}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-20 16:19 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-19 14:17 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-19 09:24 55,640 -------- c:\windows\system32\drivers\avgntflt.sys
2009-03-19 09:23 <DIR> --d----- c:\program files\Avira
2009-03-19 09:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-19 08:56 138,384 -------- c:\windows\system32\drivers\tmcomm.sys
2009-03-19 08:56 <DIR> --d----- c:\docume~1\steve\applic~1\HouseCall 6.6
2009-03-18 20:49 190,696 -------- c:\windows\system32\NPSWF32_FlashUtil.exe
2009-03-18 20:49 2,463,976 -------- c:\windows\system32\NPSWF32.dll
2009-03-18 20:47 <DIR> --d----- c:\program files\Bonjour
2009-03-18 20:36 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-03-18 18:35 <DIR> --d----- c:\program files\MagicISO
2009-03-18 09:23 107,272 -------- c:\windows\system32\drivers\avgtdix.sys
2009-03-18 09:23 10,520 -------- c:\windows\system32\avgrsstx.dll
2009-03-18 09:23 325,128 -------- c:\windows\system32\drivers\avgldx86.sys
2009-03-18 09:23 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-18 09:23 <DIR> --d----- c:\program files\AVG
2009-03-13 16:41 <DIR> --d----- c:\program files\uTorrent
2009-03-13 16:41 <DIR> --d----- c:\docume~1\steve\applic~1\uTorrent
2009-03-07 21:53 54,156 ----h--- c:\windows\QTFont.qfn
2009-03-07 21:53 1,409 -------- c:\windows\QTFont.for
2009-03-07 19:44 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{6608A0E1-0C61-456E-A008-C750B4A10DB0}
2009-03-06 22:16 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{DC2804F2-3E82-41F7-A60C-AA8B81F187FE}
2009-03-06 22:08 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{5A88D062-AE6E-4A1F-B2FF-30CF219FE6C6}

==================== Find3M ====================

2009-01-05 15:33 3,751,995 -------- c:\windows\system32\GPhotos.scr
2009-01-03 08:58 134,144 -------- c:\windows\ubidoqen.dll
2008-05-21 18:08 5,120 a------- c:\documents and settings\steve\ConsoleApplication1.exe
2007-08-04 20:51 2,492 a------- c:\docume~1\steve\applic~1\ViewerApp.dat
2008-10-09 08:13 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100920081010\index.dat
2007-04-23 08:01 10,185,760 ---sh--- c:\windows\system32\drivers\fidbox.dat
2007-04-23 08:01 219,168 ---sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 21:49:59.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:05:52 PM

Posted 24 March 2009 - 05:00 PM

Hello Steve058 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

If ComboFix does run it's full circle, the please try to install Avira Antivir as well, update and run a full system scan.

Greetings,
ThunderHello Threeplus10 and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :)

If you have any questions along the way, STOP and ask them before proceeding !!

If ComboFix does run it's full circle, the please try to install Avira Antivir as well, update and run a full system scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users