Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 Matt-P

Matt-P

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 26 March 2009 - 05:46 PM

Hi guys

I seem to have some kind of infection. I originally noticed it when I couldn't run an update on Windows, Ad-Aware, McAfee or even check my email. I ran Ad-Aware in the hope of finding something but obviously (with hindsight) to no avail.

I trawled the forums and read about numerous other things to try including MalwareBytes, SuperSpyCatcher, Avast, CCleaner etc. which all seemed to find different things... but only low level adware - nothing nasty - and still I couldn't do updates.

I went onto an online virus checker (Trend Micro Housecall), which wouldn't run either. I then downloaded a copy of Trend Micro and ran it in safe mode - this managed to find numerous trojans and other nasties... but my updating etc. still isn't working, so it doesn't seem to have got tot he root of the problem.

I have been trying to sort this out for days now and it is driving me mad. I am on the verge of reformatting, so hoping you can help.

Any advice will be greatly received. I have not posted to any other forum and will not until I have received help from yourselves.

I have attached the DDS log and also the HiJackThis logs, if they are of any help.

Thanks in advance!!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 22:21:02.55 on 26/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3069.1285 [GMT 0:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kontiki\KService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OL\TMAS_OL.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6080926
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Cate%20West%20-%20The%20Vanishing%20Files/Images/stg_drm.ocx
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.euro.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli DPPWDFLT

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-26 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-3-25 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_238116a1\AEstSrv.exe [2008-9-26 73728]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-5 1168632]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-25 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-3-25 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-25 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-25 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-3-25 256528]
R2 Webcamera Plus Service;Webcamera Plus Service;c:\program files\ateksoft\webcamera plus\WebCamPlusSrv.exe [2008-10-4 46592]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-10-4 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-26 475136]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-9-25 29736]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-9-26 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-9-26 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-9-26 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-18 277440]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-1-2 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-1-2 3768]
S2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iwintrusted.exe --> c:\program files\iwin games\iWinTrusted.exe [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-1-2 200704]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]

=============== Created Last 30 ================

2009-03-26 21:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 21:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 21:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-26 19:51 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 19:51 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 00:56 <DIR> --d----- c:\windows\system32\Service
2009-03-25 23:36 <DIR> --d----- c:\programdata\Trend Micro
2009-03-25 23:36 <DIR> --d----- c:\progra~2\Trend Micro
2009-03-25 23:30 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-25 23:30 256,528 a------- c:\windows\system32\drivers\tmwfp.sys
2009-03-25 23:30 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-25 23:30 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-25 23:30 145,424 a------- c:\windows\system32\drivers\tmlwf.sys
2009-03-25 23:30 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-25 23:30 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-25 23:30 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-25 23:30 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-25 23:14 <DIR> --d----- c:\users\matt\.housecall6.6
2009-03-25 23:08 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 22:04 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-03-25 22:04 <DIR> --d----- c:\program files\Yahoo!
2009-03-25 22:04 <DIR> --d----- c:\program files\CCleaner
2009-03-25 20:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-25 20:08 <DIR> --d----- c:\program files\MB Anti-M
2009-03-25 00:07 <DIR> --d----- c:\program files\Lavasoft
2009-03-24 19:27 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-03-24 19:27 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-24 19:27 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-24 18:37 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-24 18:37 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-24 18:37 <DIR> --d----- c:\users\matt\appdata\roaming\SUPERAntiSpyware.com
2009-03-24 18:37 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-23 21:54 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes
2009-03-23 21:54 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-23 21:54 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-22 15:02 <DIR> --d----- c:\programdata\FLEXnet
2009-03-22 12:20 <DIR> --d----- c:\users\matt\appdata\roaming\Serif
2009-03-22 12:17 <DIR> --d----- c:\program files\AskBarDis
2009-03-22 12:17 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-22 12:10 21,008 -------- c:\windows\system32\Ctl3d.dll
2009-03-22 12:10 <DIR> --d----- c:\program files\Serif
2009-03-22 11:33 <DIR> --d----- c:\program files\wordpress
2009-03-21 23:12 <DIR> --d--r-- c:\program files\Skype
2009-03-19 20:20 <DIR> --d----- c:\users\matt\appdata\roaming\The Creative Assembly
2009-03-18 20:26 <DIR> --d----- c:\users\matt\appdata\roaming\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-03-18 20:26 <DIR> --d----- c:\program files\TweetDeck
2009-03-18 19:47 <DIR> --d----- c:\program files\common files\Steam
2009-03-18 19:47 <DIR> --d----- c:\program files\Steam
2009-03-17 23:39 <DIR> --d----- c:\users\matt\Tracing
2009-03-17 23:37 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-17 23:34 <DIR> --d----- c:\program files\Microsoft
2009-03-17 23:34 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-17 23:27 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-14 15:55 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-14 15:55 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 15:54 <DIR> --d----- c:\program files\iPod
2009-03-14 15:54 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 15:54 <DIR> --d----- c:\program files\iTunes
2009-03-14 15:54 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-11 21:21 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-11 21:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 21:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 21:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 21:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 21:21 268,288 a------- c:\windows\system32\schannel.dll
2009-03-08 19:46 <DIR> --d----- c:\users\matt\appdata\roaming\www.nerdoftheherd.com
2009-03-08 19:46 <DIR> --d----- c:\program files\Radio Downloader
2009-03-08 19:37 27,136 a------- c:\windows\system32\drivers\nchssvad.sys
2009-03-08 19:37 <DIR> --d----- c:\programdata\NCH Swift Sound
2009-03-08 19:36 <DIR> --d----- c:\program files\NCH Software
2009-03-08 18:08 <DIR> --d----- C:\Downloads
2009-03-08 18:02 <DIR> --d----- c:\users\matt\appdata\roaming\FlashGet
2009-03-08 18:01 <DIR> --d----- c:\program files\FlashGet
2009-03-08 15:16 <DIR> --d----- c:\program files\Taskbar Shuffle
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-04 23:34 <DIR> --d----- C:\Hiroshima
2009-03-04 22:11 <DIR> --d----- c:\users\matt\appdata\roaming\AVS4YOU
2009-03-04 22:11 <DIR> --d----- c:\programdata\AVS4YOU
2009-03-04 22:11 <DIR> --d----- c:\progra~2\AVS4YOU
2009-03-04 22:10 <DIR> --d----- c:\program files\common files\AVSMedia
2009-03-04 22:10 1,700,352 a------- c:\windows\system32\GdiPlus.dll
2009-03-04 22:10 974,848 a------- c:\windows\system32\mfc70.dll
2009-03-04 22:10 487,424 a------- c:\windows\system32\msvcp70.dll
2009-03-04 22:10 344,064 a------- c:\windows\system32\msvcr70.dll
2009-03-04 22:10 24,576 a------- c:\windows\system32\msxml3a.dll
2009-03-04 22:10 <DIR> --d----- c:\program files\AVS4YOU
2009-03-04 22:04 5,623,216 a------- c:\users\matt\Opera_964_en_Setup.exe
2009-03-04 21:43 <DIR> --d----- c:\program files\ExtractNow
2009-03-04 21:33 <DIR> --d----- c:\program files\UnPacker
2009-03-04 21:22 87,608 a------- c:\users\matt\appdata\roaming\inst.exe
2009-03-04 21:22 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-03-04 21:22 47,360 a------- c:\users\matt\appdata\roaming\pcouffin.sys
2009-03-02 23:40 <DIR> --d----- C:\abcc
2009-03-02 23:39 34 a---h--- c:\windows\system32\DVDRippper_sysquict.dat
2009-03-02 23:39 <DIR> --d----- c:\program files\Abcc Free MPEG4 Mp4 Video Converter
2009-03-01 17:47 <DIR> --d----- c:\program files\uTorrent
2009-03-01 17:47 <DIR> --d----- c:\users\matt\appdata\roaming\uTorrent
2009-02-24 22:46 <DIR> --d----- c:\users\matt\.gimp-1.2

==================== Find3M ====================

2009-03-26 20:20 1,660 a------- c:\windows\bthservsdp.dat
2009-03-25 23:38 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-25 23:38 51,200 a------- c:\windows\inf\infpub.dat
2009-03-25 23:38 86,016 a------- c:\windows\inf\infstor.dat
2009-02-15 21:58 5,530 a------- c:\windows\unins000.dat
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-27 11:17 212,480 a------- c:\windows\PCDLIB32.DLL
2009-01-26 20:21 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01001.Wdf
2009-01-16 07:57 8,318,896 a------- c:\users\matt\appdata\roaming\DataSafeDotNet.exe
2009-01-15 06:11 827,392 a------- c:\windows\system32\wininet.dll
2008-10-06 19:18 230 a------- c:\users\matt\appdata\roaming\wklnhst.dat
2008-10-03 20:43 56 a---h--- c:\programdata\ezsidmv.dat
2008-10-03 20:43 56 a---h--- c:\progra~2\ezsidmv.dat
2008-09-26 08:32 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 02:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:21:52.72 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:38 PM

Posted 04 April 2009 - 06:59 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Matt-P

Matt-P
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 05 April 2009 - 11:10 AM

Thanks Orange Blossom. Here are the updated log files:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Matt at 17:04:15.72 on 05/04/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3069.1597 [GMT 1:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated)
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_238116a1\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kontiki\KService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Ateksoft\WebCamera Plus\WebCamPlusSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Users\Matt\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\wscript.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchFilterHost.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=6080926
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
uRun: [Google Update] "c:\users\matt\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell.exe" /mode2
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\users\matt\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38e51477-ddb4-4aed-9d61-d0c193e10749}\inprocserver32 does not exist!
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Cate%20West%20-%20The%20Vanishing%20Files/Images/stg_drm.ocx
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxp://support.euro.dell.com/systemprofiler/SysProExe.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli DPPWDFLT

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-26 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-2-17 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-3-26 145424]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_238116a1\AEstSrv.exe [2008-9-26 73728]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2008-5-5 1168632]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-3-26 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-3-26 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-3-26 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-3-26 677128]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-3-26 256528]
R2 Webcamera Plus Service;Webcamera Plus Service;c:\program files\ateksoft\webcamera plus\WebCamPlusSrv.exe [2008-10-4 46592]
R3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2008-10-4 11776]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-9-26 475136]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-9-26 29736]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2008-9-26 54784]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-9-26 203264]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-9-26 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-18 277440]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-1-2 23096]
R3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-1-2 3768]
S2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iwintrusted.exe --> c:\program files\iwin games\iWinTrusted.exe [?]
S3 SoundMovieServer;SoundMovieServer;c:\windows\system32\snmvtsvc.exe [2009-1-2 200704]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]

=============== Created Last 30 ================

2009-03-26 22:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-26 22:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 22:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-26 21:20 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-26 20:51 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 20:51 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-26 01:56 <DIR> --d----- c:\windows\system32\Service
2009-03-26 00:36 <DIR> --d----- c:\programdata\Trend Micro
2009-03-26 00:36 <DIR> --d----- c:\progra~2\Trend Micro
2009-03-26 00:30 1,195,512 a------- c:\windows\system32\drivers\vsapint.sys
2009-03-26 00:30 256,528 a------- c:\windows\system32\drivers\tmwfp.sys
2009-03-26 00:30 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-03-26 00:30 150,032 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-26 00:30 145,424 a------- c:\windows\system32\drivers\tmlwf.sys
2009-03-26 00:30 80,400 a------- c:\windows\system32\drivers\tmtdi.sys
2009-03-26 00:30 50,192 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-03-26 00:30 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-03-26 00:30 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-03-26 00:14 <DIR> --d----- c:\users\matt\.housecall6.6
2009-03-26 00:08 <DIR> --d----- c:\program files\Trend Micro
2009-03-25 23:04 <DIR> --d----- c:\program files\Yahoo!
2009-03-25 23:04 <DIR> --d----- c:\program files\CCleaner
2009-03-25 21:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-25 21:08 <DIR> --d----- c:\program files\MB Anti-M
2009-03-25 01:07 <DIR> --d----- c:\program files\Lavasoft
2009-03-24 20:27 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-03-24 20:27 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-24 20:27 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-24 19:37 <DIR> --d----- c:\programdata\SUPERAntiSpyware.com
2009-03-24 19:37 <DIR> --d----- c:\progra~2\SUPERAntiSpyware.com
2009-03-24 19:37 <DIR> --d----- c:\users\matt\appdata\roaming\SUPERAntiSpyware.com
2009-03-24 19:37 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-23 22:54 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes
2009-03-23 22:54 <DIR> --d----- c:\programdata\Malwarebytes
2009-03-23 22:54 <DIR> --d----- c:\progra~2\Malwarebytes
2009-03-22 16:02 <DIR> --d----- c:\programdata\FLEXnet
2009-03-22 13:20 <DIR> --d----- c:\users\matt\appdata\roaming\Serif
2009-03-22 13:17 <DIR> --d----- c:\program files\AskBarDis
2009-03-22 13:17 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-22 13:10 21,008 -------- c:\windows\system32\Ctl3d.dll
2009-03-22 13:10 <DIR> --d----- c:\program files\Serif
2009-03-22 12:33 <DIR> --d----- c:\program files\wordpress
2009-03-22 00:12 <DIR> --d--r-- c:\program files\Skype
2009-03-19 21:20 <DIR> --d----- c:\users\matt\appdata\roaming\The Creative Assembly
2009-03-18 21:26 <DIR> --d----- c:\users\matt\appdata\roaming\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-03-18 21:26 <DIR> --d----- c:\program files\TweetDeck
2009-03-18 20:47 <DIR> --d----- c:\program files\common files\Steam
2009-03-18 20:47 <DIR> --d----- c:\program files\Steam
2009-03-18 00:39 <DIR> --d----- c:\users\matt\Tracing
2009-03-18 00:37 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-18 00:34 <DIR> --d----- c:\program files\Microsoft
2009-03-18 00:34 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-18 00:27 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-14 16:55 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-14 16:55 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-14 16:54 <DIR> --d----- c:\program files\iPod
2009-03-14 16:54 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 16:54 <DIR> --d----- c:\program files\iTunes
2009-03-14 16:54 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-11 22:21 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-11 22:21 7,680 a------- c:\windows\system32\spwmp.dll
2009-03-11 22:21 4,096 a------- c:\windows\system32\msdxm.ocx
2009-03-11 22:21 4,096 a------- c:\windows\system32\dxmasf.dll
2009-03-11 22:21 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-03-11 22:21 268,288 a------- c:\windows\system32\schannel.dll
2009-03-08 20:46 <DIR> --d----- c:\users\matt\appdata\roaming\www.nerdoftheherd.com
2009-03-08 20:46 <DIR> --d----- c:\program files\Radio Downloader
2009-03-08 20:37 27,136 a------- c:\windows\system32\drivers\nchssvad.sys
2009-03-08 20:37 <DIR> --d----- c:\programdata\NCH Swift Sound
2009-03-08 20:36 <DIR> --d----- c:\program files\NCH Software
2009-03-08 19:08 <DIR> --d----- C:\Downloads
2009-03-08 19:02 <DIR> --d----- c:\users\matt\appdata\roaming\FlashGet
2009-03-08 19:01 <DIR> --d----- c:\program files\FlashGet
2009-03-08 16:16 <DIR> --d----- c:\program files\Taskbar Shuffle

==================== Find3M ====================

2009-04-01 23:58 1,660 a------- c:\windows\bthservsdp.dat
2009-03-26 00:38 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-26 00:38 51,200 a------- c:\windows\inf\infpub.dat
2009-03-26 00:38 86,016 a------- c:\windows\inf\infstor.dat
2009-03-08 21:00 87,608 a------- c:\users\matt\appdata\roaming\inst.exe
2009-03-08 21:00 47,360 a------- c:\users\matt\appdata\roaming\pcouffin.sys
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-06 00:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-04 23:04 5,623,216 a------- c:\users\matt\Opera_964_en_Setup.exe
2009-03-04 22:22 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-02-15 22:58 5,530 a------- c:\windows\unins000.dat
2009-02-06 20:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 19:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-27 12:17 212,480 a------- c:\windows\PCDLIB32.DLL
2009-01-16 08:57 8,318,896 a------- c:\users\matt\appdata\roaming\DataSafeDotNet.exe
2009-01-15 07:11 827,392 a------- c:\windows\system32\wininet.dll
2008-10-06 20:18 230 a------- c:\users\matt\appdata\roaming\wklnhst.dat
2008-10-03 21:43 56 a---h--- c:\programdata\ezsidmv.dat
2008-10-03 21:43 56 a---h--- c:\progra~2\ezsidmv.dat
2008-09-26 09:32 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 03:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:05:19.09 ===============

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 05 April 2009 - 06:57 PM

Hello.

Let's see what we can find. Please run GMER for me.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
    Alternate Download Site 3
  • Unzip/extract the file to its own folder. Right-Click and select Extract All...
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will now start extracting.
  • Once it is done, check (tick) the Show extracted files box and click Finish
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Right click on gmer.exe and select Run as administrator to run it. It will start running a scan.
    If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes..
  • When it's done scanning, you may receive another notice. Click OK if prompted.
  • Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If you receive no notice, click on the Scan button near the bottom.

  • It will start scanning again like before.
  • When it is done, Click on Save ... to save the log on your desktop.
    Save the log as GMER.txt when you save it on your desktop.
  • Close Gmer and copy and paste the contents of GMER.txt in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running

Post back with another DDS log and any problems you may still have.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 Matt-P

Matt-P
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 06 April 2009 - 09:42 AM

Initially tried running it in normal mode. It detected rootkits, but did not offer me the option of the full scan. Clicked scan, as advised... it ran the scan for a while but then stopped - "GMER.exe has stopped working" with only option to close. Last item showing as scanning before failure was \Device\Harddisk\VolumeShadowCopy1.

Rebooted and ran in safe mode. Rootkits detected again (but less in list than in normal mode) - still didn't offer option of full scan. Clicked scan again. GMER ran to the same place (VolumeShadowCopy1) and then stopped working.

Unfortunately, I am unable to save the log file. Do you still want me to run a DDS again?

Kind regards,

Matt

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 06 April 2009 - 02:54 PM

Hello.

That's fine. I wanted to make sure there was a rootkit involved here before bringing out some tools.

Information on rootkits.

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS.

Should you decide not to follow that advice, we will continue by following the directions below.

Download and Run ComboFix (Rename Before Saving)

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

Posted Image

Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Matt-P

Matt-P
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 06 April 2009 - 04:11 PM

I tried ComboFix. It ran for a while and then just crashed... computer tried to fix itself and eventually gave up, offering a restore point. Here is the combofix log:

ComboFix 09-04-04.01 - Matt 2009-04-06 21:50:47.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3069.1842 [GMT 1:00]
Running from: C:\Users\Matt\Desktop\Combo-Fix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated)
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
* Created a new restore point
.

---

I think a reformat and install is in order. Not something I've ever had to do before... any advice for a format-virgin? :thumbup2:

Thanks for all your help on this.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 06 April 2009 - 04:18 PM

Hello.

Good decision. I would have done the same if it was my computer.

I couldn't find a tutorial on doing a Vista format so it would be better if you start a topic in the Windows Vista forum where someone will guide you on how to do a format. :thumbup2:

Windows Vista forum: http://www.bleepingcomputer.com/forums/f/72/windows-vista/

If you need to backup anything here are 2 rules.

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Note: Some may want to be safe, wondering if their data files are infected or not so to make sure you should scan those files using an anti-virus scanner and an anti-malware/anti-spyware scanner making sure they are free from malware before transfering it to your new formatted computer. From what I have seen the results were always CLEAN, meaning they were not infected at all.

Good luck!

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Matt-P

Matt-P
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 07 April 2009 - 07:06 AM

Just writing to say thanks for all your help. I referred to my manual for reformatting instructions... had a handy built in feature known as "Reformat and return to factory settings" which kinda does what it says on the tin :thumbup2:)

Quick questions though... now that I am back up and running again, what anti virus/malware/EVIL ROOTKIT software should I use and how regularly should I be running it manually as well as running it live to avoid this happening again?

Once again, thanks! Its fantastic that this kind of help is available. I was at the point of reformatting before I came on here, but it was a useful process to go through to explore the options - wouldn't have even heard of rootkits if it wasn't for you!

Kind regards,
Matt

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 07 April 2009 - 12:08 PM

Hello.

Anti-virus programs: (Install ONLY 1)
Firewall Programs: (Install ONLY 1)
Regarding rootkits there are many tools but most of them is very complicated to understand and will require advance knowledge on windows itself and malware so it would be difficult for you to interpret it for you. There are also sometimes false-positives so I usually don't want to give you a "specific tool" in dealing with rootkits. They are very nasty and usually can not be removed that easily.

I would just recommend you install one of those anti-virus softwares with the anti-rootkit feature installed if you want an anti-rootkit feature installed.

Hope that helps :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 Matt-P

Matt-P
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:38 AM

Posted 07 April 2009 - 06:39 PM

Fantastic! Thanks for the advice... I presumed that you mentioned the best ones in each list first (whether consciously or subconsciously), so have opted for those!

As McAfee and Ad-Aware aren't even mentioned on your list, it just goes to show how unprepared I actually was - oh the power of advertising!!

Hopefully this is the only time I will have to speak to you in this particular forum :thumbup2:)

Thanks once again.

Kind regards,
Matt

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 07 April 2009 - 08:48 PM

No problem. Glad I could help :)

Note: Those programs I mentioned were only FREE. McAfee is not bad but AdAware isn't used that often now nor is Spybot. MBAM is a better alternative or SAS. :step4:

Whenever you need a problem, feel free to ask in the appropriate forum. We're always happy to help.

Below are some prevention tips.

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :thumbup2:

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:38 PM

Posted 09 April 2009 - 03:03 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad I could help :thumbup2:
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal Forum.

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users