Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

need assistance removing malware


  • Please log in to reply
5 replies to this topic

#1 Raph876

Raph876

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 05 May 2009 - 08:25 AM

Recently every search i do on google gets redirected to a website called findology. Ive run and antivirus scan and used spyware doctor but it has not helped the situation, here is the log. Thanx

DDS (Ver_09-03-16.01) - FAT32x86
Run by Raphael Grivas at 23:15:22.57 on Tue 05/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.1526.1010 [GMT 10:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: avast! antivirus 4.8.1335 [VPS 090401-0] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\SYS32DLL.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DOCUME~1\RAPHAE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Raphael Grivas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bigpond.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = hxxp://en.us.acer.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SYS32DLL] SYS32DLL
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [LaunchApp] Alaunch
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [SYS32DLL] SYS32DLL
StartupFolder: c:\docume~1\raphae~1\startm~1\programs\startup\neroba~1.lnk - c:\windows\system32\nero.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\raphae~1\applic~1\mozilla\firefox\profiles\fahxhx2k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 1

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-5 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-5-5 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-5-5 39200]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-3-5 114768]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-5-5 159600]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-3-5 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-3-5 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-3-5 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-3-5 352920]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-5-5 33056]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys [2006-6-19 1097728]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-5 64392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-5 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-5 1095560]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2009-05-05 22:17 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-05-05 21:22 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-05-05 21:22 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-05-05 21:22 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-05-05 21:06 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-05 21:06 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-05 21:06 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-05 21:06 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-05 21:06 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-05 21:05 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-05 21:05 <DIR> --d----- c:\docume~1\raphae~1\applic~1\PC Tools
2009-05-05 21:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-05 19:38 0 a------- c:\windows\system32\tmp2.logef
2009-05-05 17:02 2,414,360 a------- c:\windows\system32\d3dx9_31.dll
2009-05-05 17:02 <DIR> --d----- c:\windows\Logs
2009-05-01 12:32 <DIR> --dsh--- C:\FOUND.000
2009-05-01 10:03 <DIR> --d----- C:\GameNetworks
2009-05-01 07:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-05-01 07:46 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-04-27 17:56 172,032 a------- c:\windows\system32\igfxres.dll
2009-04-27 17:50 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-27 12:43 <DIR> --d----- c:\program files\SystemRequirementsLab
2009-04-27 10:30 <DIR> --d----- c:\program files\CCleaner
2009-04-27 09:14 1,100 a------- c:\windows\system32\d3d8caps.dat
2009-04-24 15:35 <DIR> --d----- c:\program files\Dreamworld's Open - Mini Golf
2009-04-24 11:16 <DIR> --d----- c:\program files\GodsWar Online
2009-04-24 09:24 <DIR> --d----- c:\windows\.jagex_cache_32
2009-04-21 15:34 <DIR> --d----- c:\program files\Celestia
2009-04-21 09:04 <DIR> --d----- c:\program files\iPod
2009-04-21 09:04 <DIR> --d----- c:\program files\iTunes
2009-04-21 09:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-21 09:02 <DIR> --d----- c:\program files\Bonjour
2009-04-16 13:23 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 13:23 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 13:23 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 13:23 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 13:23 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 13:22 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 13:22 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 13:22 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 13:22 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:05 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 23:05 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 23:05 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 11:18 <DIR> --d----- c:\windows\system32\ocr
2009-04-15 11:18 <DIR> --d----- c:\windows\system32\Data
2009-04-15 11:18 <DIR> --d----- c:\program files\Car Boosting.exe
2009-04-15 11:18 <DIR> --d----- c:\windows\system32\Plugins
2009-04-12 19:16 32,592 a------- c:\windows\system32\msonpmon.dll
2009-04-12 19:13 <DIR> --d----- c:\windows\SHELLNEW
2009-04-10 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Cabela's Trophy Bucks Saves
2009-04-10 10:11 <DIR> --d----- c:\program files\Activision Value
2009-04-10 10:04 <DIR> --d-h--- c:\windows\PIF
2009-04-06 18:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\HipSoft

==================== Find3M ====================

2009-05-05 18:21 15,360 a------- c:\windows\system32\SYS32DLL.exe
2009-05-05 17:48 90,112 a------- c:\windows\DUMP5014.tmp
2009-05-05 17:47 90,112 a------- c:\windows\DUMP256a.tmp
2009-05-05 17:45 5,245 a------- c:\windows\system32\uacinit.dll
2009-05-05 17:45 66,560 a------- c:\windows\system32\UACmpppqmdvmodabdx.dll
2009-05-05 17:45 19,968 a------- c:\windows\system32\UACevhnmvwcshtaedn.dll
2009-05-05 17:45 17,408 a------- c:\windows\system32\UACuufoyfgewcvvnio.dll
2009-05-05 17:45 24,064 a------- c:\windows\system32\UACwxgwkvjokabkyoy.dll
2009-05-05 17:45 19,968 a------- c:\windows\system32\UACvtnmstvejbopxlt.dll
2009-05-05 17:45 51,200 a------- c:\windows\system32\drivers\UACenaroetvaqgdvjm.sys
2009-05-05 12:52 90,112 a------- c:\windows\DUMP277d.tmp
2009-03-25 00:15 170 a------- c:\program files\1bomb.ini
2009-03-22 00:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 12:42 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-03 10:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 14:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 20:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 20:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 15:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 22:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 22:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-09 22:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 22:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 22:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 22:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-07 19:02 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 21:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 21:08 2,189,056 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 21:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 21:06 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 20:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 20:39 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 20:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 20:32 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 23:15:58.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 AM

Posted 05 May 2009 - 09:05 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Raph876

Raph876
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 05 May 2009 - 10:27 AM

Thanx for the reply. After completing the scan and removing whatever came up i was unable to use firefox, it keeps asking for a proxy. Do u know the solution?. Here is the mbam log

Malwarebytes' Anti-Malware 1.36
Database version: 2078
Windows 5.1.2600 Service Pack 3

6/05/2009 12:51:42 AM
mbam-log-2009-05-06 (00-51-42).txt

Scan type: Quick Scan
Objects scanned: 80442
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\y537.y537mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\y537.y537mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYS32DLL (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Delete on reboot.
C:\WINDOWS\system32\UACvtnmstvejbopxlt.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACuufoyfgewcvvnio.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACevhnmvwcshtaedn.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmpppqmdvmodabdx.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\Raphael Grivas\Local Settings\Temporary Internet Files\Content.IE5\EP7GNSQX\6244[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Raphael Grivas\Local Settings\Temporary Internet Files\Content.IE5\UDOSPYCE\nfr[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwxgwkvjokabkyoy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACenaroetvaqgdvjm.sys (Trojan.Agent) -> Quarantined and deleted successfully.



And the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:40 AM, on 6/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\DOCUME~1\RAPHAE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://en.us.acer.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe 0
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-917652230-3426577860-364504457-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Tina Grivas')
O4 - HKUS\S-1-5-21-917652230-3426577860-364504457-1006\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Tina Grivas')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: nero.bat.lnk = C:\WINDOWS\system32\nero.bat
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Acer Empowering Technology.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe

--
End of file - 9597 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 AM

Posted 05 May 2009 - 10:53 AM

Hi,

After completing the scan and removing whatever came up i was unable to use firefox, it keeps asking for a proxy. Do u know the solution?

That's because this malware has set a proxyserver. Now since it's removed, it will ask for it.
To fix this, disable/uncheck proxy in Firefox.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Did you set this?

O4 - Startup: nero.bat.lnk = C:\WINDOWS\system32\nero.bat

If not, then check and fix that entry in HijackThis.

Please rerun MalwareBytes one more time to verify the log comes clean up again.
Then let me know how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Raph876

Raph876
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 05 May 2009 - 09:16 PM

hi, i have deleted the nero.bat using hijackthis, and have run a scan with maleware bytes which came up clean. I set the proxyserver to none on firefox and the redirecting from google seems to have stopped. Thanx for the help really appreciate it. I just have one more question, should i keep malwarebytes instead of spyware doctor?. Thanx again for your help.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:06:12 AM

Posted 06 May 2009 - 01:14 AM

should i keep malwarebytes instead of spyware doctor?

Yes, I certainly recommend MalwareBytes over Spywaredoctor. :thumbup2:

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users