Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware protect removal


  • This topic is locked This topic is locked
17 replies to this topic

#1 dempseyjosh

dempseyjosh

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 April 2009 - 09:22 AM

i somehow got spyware protect 2009 on my computer, and i'm having trouble getting super anti spyware or malware bytes to open. i've tried a couple other scanners and they say i'm clean.


DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Warehouse at 10:19:05.40 on Thu 04/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.527 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.50 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Warehouse\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: : {40173c91-b871-4e54-a355-c1ff3c0a753c} - c:\windows\system32\ukgxccz.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd42510-9b22-41cd-9dcd-8182a2d07c63} - c:\windows\system32\iehelper.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\documents and settings\warehouse\desktop\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [system tool] c:\windows\sysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [pdfw] c:\program files\amic utilities\pdf writer pro\pdfwload.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
StartupFolder: c:\docume~1\wareho~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: imageshack.us\toolbar
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - hxxp://www.miniclip.com/inflaterball/miniclipGameLoader.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://193.138.213.169/JpegInst.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://axis1.cityof.lawton.ok.us/activex/AMC.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://24.136.219.70:92/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.idavoll.com/activex/AxisCamControl.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Notify: igfxcui - igfxsrvc.dll
Notify: zjcfltat - ukgxccz.dll
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

S0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-4-1 26624]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-5-8 192512]
S2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
S2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-8-18 13088]
S2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2009-1-22 2731848]
S2 qepspwfv;Remote Access Auto Connection Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-10 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-7-10 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-7-10 39552]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-6-29 10368]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-9-3 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2004-9-3 9216]

=============== Created Last 30 ================

2009-04-02 10:06 <DIR> --d----- C:\7715fcfafd3d44ba0491ae927c1c53a9
2009-04-02 09:00 <DIR> --d----- c:\docume~1\wareho~1\applic~1\khjavcmy
2009-04-01 16:08 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-04-01 15:42 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-01 10:35 <DIR> --d----- c:\docume~1\wareho~1\applic~1\.clamwin
2009-04-01 10:35 <DIR> --d----- c:\program files\ClamWin
2009-04-01 10:35 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-03-31 16:40 10,752 a------- c:\windows\system32\iehelper.dll
2009-03-31 16:30 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-31 16:30 353,808 a------- c:\windows\sysguard.exe
2009-03-25 10:33 <DIR> --d----- c:\program files\iPod
2009-03-25 10:33 <DIR> --d----- c:\program files\iTunes
2009-03-25 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-12 15:09 50,304 ac------ c:\docume~1\wareho~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-11 11:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 11:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-22 18:50 457,544 a------- c:\windows\system32\QBPOSProtocol.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-10-19 16:20 39,629,592 a------- c:\program files\Xenomorph_slim.exe
2006-09-18 18:00 179 ac------ c:\program files\tears_dont_fall_56.ram
2006-09-08 14:33 1,163,643 a------- c:\program files\wrar342.exe
2008-08-27 13:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 10:20:53.59 ===============

Attached Files


Edited by dempseyjosh, 02 April 2009 - 09:23 AM.


BC AdBot (Login to Remove)

 


#2 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 April 2009 - 12:04 PM

that scan was done in safe mode.... just wanted to throw that out there in case it makes a difference.

i've been doing everything in safe mode because there are so many sites i can't get to when i boot up normally

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 08 April 2009 - 08:12 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.


Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-Description of any problem you still have


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 09 April 2009 - 09:36 AM

ok, well the computer seems to be running pretty good as of right now. this is a work computer. my boss was able to get some of the stuff cleared up, then i was able to install and run super anti spyware and malware bytes.

what would you like me to run and show you those logs?

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 09 April 2009 - 03:44 PM

Hello.

If everything is fine and you don't need to check for anything else then NO. It's not necessary. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 09 April 2009 - 04:07 PM

well, with every scanner i ran, it found something different. i'd like to have somebody that knows more about it give their opinion

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 09 April 2009 - 04:11 PM

Hello.

Okay. DO NOT run Combofix for now, I'll decide if we need to run it later if needed. It's a very strong tool and should NOT be used unless instructed and under a guidance of a trained malware staff.

Post a few of the logs you are worried about. Also, if you want me to analyze your logs and see if there's anything else, please post a new DDS log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 10 April 2009 - 09:42 AM

well here are the dds logs


DDS (Ver_09-03-16.01) - NTFSx86
Run by Warehouse at 10:40:29.45 on Fri 04/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.336 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.50 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\Synercard\Asure ID AIO\program\CDC.exe
C:\Program Files\Synercard\Asure ID AIO\program\DEC.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\ClamWin\bin\OlAddin.exe
C:\WINDOWS\system32\mstsc.exe
C:\Documents and Settings\Warehouse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\documents and settings\warehouse\desktop\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [pdfw] c:\program files\amic utilities\pdf writer pro\pdfwload.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\wareho~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: imageshack.us\toolbar
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - hxxp://www.miniclip.com/inflaterball/miniclipGameLoader.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://193.138.213.169/JpegInst.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://axis1.cityof.lawton.ok.us/activex/AMC.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://24.136.219.70:92/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.idavoll.com/activex/AxisCamControl.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-4-1 26624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-5-8 192512]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-8-18 13088]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2009-1-22 2731848]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-6-29 10368]
S2 qepspwfv;Remote Access Auto Connection Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-10 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-7-10 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-7-10 39552]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-9-3 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2004-9-3 9216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-08 10:50 <DIR> --d----- c:\program files\iPod
2009-04-08 10:49 <DIR> --d----- c:\program files\iTunes
2009-04-08 10:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 10:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-08 10:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 10:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 12:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-06 12:03 6,853,096 a------- C:\SpyHunter-Compact-OS.exe
2009-04-06 12:03 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-06 10:32 <DIR> --d----- c:\docume~1\wareho~1\applic~1\khjavcmy
2009-04-02 10:06 <DIR> --d----- C:\7715fcfafd3d44ba0491ae927c1c53a9
2009-04-01 16:08 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-04-01 15:42 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-01 10:35 <DIR> --d----- c:\docume~1\wareho~1\applic~1\.clamwin
2009-04-01 10:35 <DIR> --d----- c:\program files\ClamWin
2009-04-01 10:35 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-03-25 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-12 15:09 50,304 ac------ c:\docume~1\wareho~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-22 18:50 457,544 a------- c:\windows\system32\QBPOSProtocol.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-10-19 16:20 39,629,592 a------- c:\program files\Xenomorph_slim.exe
2006-09-18 18:00 179 ac------ c:\program files\tears_dont_fall_56.ram
2006-09-08 14:33 1,163,643 a------- c:\program files\wrar342.exe
2008-08-27 13:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 10:41:08.20 ===============


the other log is attatched

Attached Files



#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 10 April 2009 - 09:59 AM

Hello.

well, with every scanner i ran, it found something different. i'd like to have somebody that knows more about it give their opinion

I asked for you to post a few of the logs that finds something different in my previous post. Could you post a few logs for me, so I know what they are detecting please.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 10 April 2009 - 12:29 PM

i didn't save those logs. or are they saved somewhere in the programs file? they found things, and they deleted them.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 10 April 2009 - 01:34 PM

i didn't save those logs. or are they saved somewhere in the programs file? they found things, and they deleted them.

What is the security software name in question? I will not know where it is without knowing which security programs you scanned with. You can do a few scans with them right now and let me know.

After that run an online scan too, we will see what's left next post and deal with those.

Update Java to Version 6 Update 12

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

I would also like to see a new pair of DDS log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 13 April 2009 - 10:21 AM

well i ran super antispyware, malware bytes, and kaspersky

i re ran kaspersky, and here is the log

Friday, April 10, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, April 10, 2009 20:45:03
Records in database: 2032296


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\

Scan statistics
Files scanned 97492
Threat name 2
Infected objects 12
Suspicious objects 0
Duration of the scan 02:47:30

File name Threat name Threats count
C:\Documents and Settings\All Users\.clamwin\quarantine\infected.++++ national anthem slow instru 29.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.++++ national anthem slow instru 29.wma.000 Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.++++++++ national anthem instrumental 45.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.++++++++ national anthem instrumental 45.wma.000 Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.02 Track 2.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.04 Track 4.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.national anthem instrumental 21.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.national anthem instrumental 21.wma.000 Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.trap star clean 54.wma Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\Documents and Settings\All Users\.clamwin\quarantine\infected.trap star clean 54.wma.000 Infected: Trojan-Downloader.WMA.Wimad.d 1

C:\System Volume Information\_restore{29FD9B63-4F58-4DB0-B2C4-8709D5244F27}\RP5\A0000498.exe Infected: Trojan-Spy.Win32.Zbot.gen 1

The selected area was scanned.




here is the new dds log

DDS (Ver_09-03-16.01) - NTFSx86
Run by Warehouse at 11:20:25.87 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.387 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.50 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synercard\Asure ID AIO\program\CDC.exe
C:\Program Files\Synercard\Asure ID AIO\program\DEC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DTC550Mon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DTC550Tbo.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ClamWin\bin\OlAddin.exe
C:\WINDOWS\system32\mstsc.exe
C:\Documents and Settings\Warehouse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {ABD42510-9B22-41cd-9DCD-8182A2D07C63} - No File
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\documents and settings\warehouse\desktop\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [pdfw] c:\program files\amic utilities\pdf writer pro\pdfwload.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\wareho~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: imageshack.us\toolbar
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - hxxp://www.miniclip.com/inflaterball/miniclipGameLoader.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://193.138.213.169/JpegInst.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://axis1.cityof.lawton.ok.us/activex/AMC.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://24.136.219.70:92/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.idavoll.com/activex/AxisCamControl.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-4-1 26624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-5-8 192512]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-8-18 13088]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2009-1-22 2731848]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-6-29 10368]
S2 qepspwfv;Remote Access Auto Connection Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-10 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-7-10 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-7-10 39552]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-9-3 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2004-9-3 9216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-10 15:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-08 10:50 <DIR> --d----- c:\program files\iPod
2009-04-08 10:49 <DIR> --d----- c:\program files\iTunes
2009-04-08 10:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 10:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-08 10:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 10:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 12:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-06 12:03 6,853,096 a------- C:\SpyHunter-Compact-OS.exe
2009-04-06 12:03 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-06 10:32 <DIR> --d----- c:\docume~1\wareho~1\applic~1\khjavcmy
2009-04-02 10:06 <DIR> --d----- C:\7715fcfafd3d44ba0491ae927c1c53a9
2009-04-01 16:08 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-04-01 15:42 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-01 10:35 <DIR> --d----- c:\docume~1\wareho~1\applic~1\.clamwin
2009-04-01 10:35 <DIR> --d----- c:\program files\ClamWin
2009-04-01 10:35 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-03-25 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

Attached Files



#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 13 April 2009 - 12:17 PM

Hello.

Let's remove some stuff..

Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Documents and Settings\All Users\.clamwin\quarantine
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=-
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
    "{32683183-48a0-441b-a342-7c2a440a9478}"=-
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Post back with:
-OTMoveIT log
-New DDS log

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 dempseyjosh

dempseyjosh
  • Topic Starter

  • Members
  • 167 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 13 April 2009 - 01:43 PM

========== FILES ==========
C:\Documents and Settings\All Users\.clamwin\quarantine moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{ABD42510-9B22-41cd-9DCD-8182A2D07C63}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{BDF3E430-B101-42AD-A544-FADC6B084872}\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars\\{32683183-48a0-441b-a342-7c2a440a9478} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\\{32683183-48a0-441b-a342-7c2a440a9478} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\ClamWin1.log scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET1D1F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET1D20.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET260C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET261C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET267.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET2A71.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET2AEE.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA323.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA324.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA601.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA602.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA7F5.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA7F6.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA85.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETB8F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETF0.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETFD52.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETFD53.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\~DF8091.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\Content.IE5\KTJOEUUC\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\Content.IE5\HTHW0HRD\topic216117[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_bbc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04132009_143119

Files moved on Reboot...
C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\ClamWin1.log moved successfully.
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET1D1F.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET1D20.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET260C.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET261C.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET267.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET2A71.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JET2AEE.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA323.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA324.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA601.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA602.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA7F5.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA7F6.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETA85.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETB8F.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETF0.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETFD52.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\JETFD53.tmp not found!
File C:\DOCUME~1\WAREHO~1\LOCALS~1\Temp\~DF8091.tmp not found!
C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\Content.IE5\KTJOEUUC\iframe[1].htm moved successfully.
C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\Content.IE5\HTHW0HRD\topic216117[1].htm moved successfully.
C:\Documents and Settings\Warehouse\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_bbc.dat not found!


and here is the dds log

DDS (Ver_09-03-16.01) - NTFSx86
Run by Warehouse at 14:41:56.95 on Mon 04/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.432 [GMT -4:00]

AV: Eset NOD32 antivirus system 2.50 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Common Files\Intuit\Entitlement Client\v5.3\Server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Warehouse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! 工具列: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2009] c:\documents and settings\warehouse\desktop\uniblue\registrybooster\RegistryBooster.exe /S
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [Mouse Suite 98 Daemon] ICO.EXE
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [pdfw] c:\program files\amic utilities\pdf writer pro\pdfwload.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\wareho~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Trusted Zone: imageshack.us\toolbar
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - hxxp://www.miniclip.com/inflaterball/miniclipGameLoader.dll
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://www.cherrytreeinn.com:8080/kxhcm10.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://193.138.213.169/JpegInst.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - hxxp://axis1.cityof.lawton.ok.us/activex/AMC.cab
DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} - hxxp://24.136.219.70:92/bl_camera.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://webcam.idavoll.com/activex/AxisCamControl.cab
DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - hxxp://download.copysafe.net/plugins5/installers/Copysafe.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: qbpos - {662E7FAE-5C17-491C-AD9D-98C1F66CC6A0} - c:\windows\system32\QBPOSProtocol.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli pwdmon

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-4-1 26624]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2008-5-8 192512]
R2 ibmfilter;ibmfilter;c:\windows\system32\drivers\ibmfilter.sys [2004-3-19 63872]
R2 Intuit Entitlement Service v5.3;Intuit Entitlement Service v5.3;c:\program files\common files\intuit\entitlement client\v5.3\server\Intuit.Spc.Map.EntitlementClient.Server.Service.exe [2008-7-29 20480]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-8-18 13088]
R2 QBPOSDBServiceV8;QBPOS Database Manager v8;c:\program files\intuit\quickbooks point of sale 8.0\databaseserver\QBPOSDBService.exe [2009-1-22 2731848]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-6-29 10368]
S2 qepspwfv;Remote Access Auto Connection Helper;c:\windows\system32\svchost.exe -k netsvcs [1980-1-1 14336]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-7-10 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2007-7-10 3168]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-7-10 39552]
S3 pelmouse;Mouse Suite Driver;c:\windows\system32\drivers\PELMOUSE.SYS [2004-9-3 16384]
S3 pelusblf;USB Mouse Low Filter Driver;c:\windows\system32\drivers\PELUSBLF.SYS [2004-9-3 9216]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-13 14:31 <DIR> --d----- C:\_OTMoveIt
2009-04-10 15:14 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-08 10:50 <DIR> --d----- c:\program files\iPod
2009-04-08 10:49 <DIR> --d----- c:\program files\iTunes
2009-04-08 10:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 10:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-08 10:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-08 10:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-06 12:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-06 12:03 6,853,096 a------- C:\SpyHunter-Compact-OS.exe
2009-04-06 12:03 <DIR> --d----- c:\program files\Enigma Software Group
2009-04-06 10:32 <DIR> --d----- c:\docume~1\wareho~1\applic~1\khjavcmy
2009-04-02 10:06 <DIR> --d----- C:\7715fcfafd3d44ba0491ae927c1c53a9
2009-04-01 16:08 26,624 a------- c:\windows\system32\drivers\fsbts.sys
2009-04-01 15:42 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-01 10:35 <DIR> --d----- c:\docume~1\wareho~1\applic~1\.clamwin
2009-04-01 10:35 <DIR> --d----- c:\program files\ClamWin
2009-04-01 10:35 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-03-25 10:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-04-10 15:14 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-12 15:09 50,304 ac------ c:\docume~1\wareho~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\dllcache\win32k.sys
2009-01-22 18:50 457,544 a------- c:\windows\system32\QBPOSProtocol.dll
2009-01-16 22:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-10-19 16:20 39,629,592 a------- c:\program files\Xenomorph_slim.exe
2006-09-18 18:00 179 ac------ c:\program files\tears_dont_fall_56.ram
2006-09-08 14:33 1,163,643 a------- c:\program files\wrar342.exe
2008-08-27 13:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082720080828\index.dat

============= FINISH: 14:42:50.75 ===============

Attached Files



#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 13 April 2009 - 03:48 PM

Hello.

Looks good. Just one program I want to mention to you.

Registry Cleaner(s) Warning
The following is referring to Uniblue RegistryBooster 2009

Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners/tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System. This could include making your computer inoperatable.
  • These programs generally only delete "orphaned" or "dead" entries. This merely removes entries that point to files that no longer exist on your computer. Registry entries do not take up a significant amount of hardrive space. The program itself (and its own registry entries) likely occupy relatively more space.
  • The amount of improvement in performance you gain is minimal.
This is done, assuming that the major audience here at this board may be inexperienced users and thus a suggested safeguard from our side.
If you feel that your have sufficient knowledge to use such tools safely, then you are welcome to keep them.

Please follow/read the steps below to remove the tools we used, purge a system restore and for some more information. :step5:

Cleanup! with OTMoveIt
Let's remove all the tools we've used so far.
  • Double click the OTMoveIt3.exe to run it.
  • Click Posted Image. If you recieve a warning from your security program, select allow to download the packet.
  • A pop-up box will appear saying "Cleanup list download succesfully Begin Removal Process?". Click Yes.
  • If required for a reboot click Yes
Create a New System Restore Point<- Very Important

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! :step1: :) :thumbup2:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Preventing Infections in the Future

Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:
  • Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a sm顤g廛bord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Vist the WindowsUpdate Site Regularly

I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
Update Non-Microsoft Programs

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck :step4:


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks :)

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users