Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware/Virus problems! Help!


  • Please log in to reply
2 replies to this topic

#1 Igotproblems

Igotproblems

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 23 May 2009 - 01:19 PM

Problems:

Stalls on restart, must force shut down to reboot
Google/Yahoo searches are redirected to spam websites
Popups notifying I have a virus on my computer, telling me to get their software
Cannot open malwarebytes to scan computer

DDS Log:

DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Administrator at 20:03:47.29 on Fri 05/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1.#QNAN.1697 [GMT -5:00]

FW: Trend Micro OfficeScan Enterprise Client Firewall *enabled* {D8EAE8BD-5D15-4D72-9D75-F3270B80F3D8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\administrator.PIKE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070419
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070419
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: BHO: {bad4551d-9b24-42cb-9bcd-818ca2da7b63} - c:\windows\system32\iehelper.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [system tool] c:\windows\sysguard.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [OfficeScanNT Monitor] "c:\officescan nt\pccntmon.exe" -HideWindow
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
StartupFolder: c:\docume~1\admini~1.pik\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hawkin~1.lnk - c:\program files\hawking\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.pik\applic~1\mozilla\firefox\profiles\mvdutgq8.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-22 114768]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-22 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-22 138680]
S2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
S2 OfcPfwSvc;OfficeScanNT Personal Firewall;c:\officescan nt\OfcPfwSvc.exe [2006-2-7 233552]
S2 StkSSrv;Syntek DC-112X Service;c:\windows\system32\StkSrv2k.exe [2008-4-24 24576]
S2 TmFilter;Trend Micro Filter;c:\officescan nt\tmxpflt.sys [2005-11-9 204816]
S2 TmPreFilter;Trend Micro PreFilter;c:\officescan nt\tmpreflt.sys [2005-11-9 36368]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-22 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-22 352920]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2008-9-9 79144]
S3 FTD2XX;FTD2XX.SYS FT8U2XX device driver;c:\windows\system32\drivers\FTD2XX.sys [2008-10-6 24197]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 StkMini;Syntek DC-112X;c:\windows\system32\drivers\StkMini.sys [2008-4-24 750623]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

=============== Created Last 30 ================

2009-05-22 13:02 10,752 a------- c:\windows\system32\iehelper.dll
2009-05-22 12:52 304,656 a------- c:\windows\sysguard.exe

==================== Find3M ====================

2009-04-29 10:32 60,906 a------- c:\windows\system32\nvModes.dat
2009-03-22 14:32 88,923 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 09:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 18:04 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll

============= FINISH: 20:04:58.01 ===============

<Edited to place Attach.txt IN-Line ~ Maurice>


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 12:00:00 AM
System Uptime: 5/22/2009 7:41:44 PM (0 hours ago)

Motherboard: Dell Inc. | | 0YD632
Processor: Intel® Core™2 CPU T7200 @ 2.00GHz | Microprocessor | 1997/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 67.11 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP112: 3/7/2009 3:08:22 PM - Software Distribution Service 3.0
RP113: 3/14/2009 1:00:07 PM - Software Distribution Service 3.0
RP114: 3/19/2009 9:09:04 PM - Software Distribution Service 3.0
RP115: 3/20/2009 8:32:53 PM - Software Distribution Service 3.0
RP116: 3/22/2009 2:18:43 PM - Software Distribution Service 3.0
RP117: 3/24/2009 4:07:34 PM - Software Distribution Service 3.0
RP118: 3/26/2009 7:38:32 PM - Software Distribution Service 3.0
RP119: 3/28/2009 12:47:49 PM - System Checkpoint
RP120: 3/29/2009 3:25:36 PM - System Checkpoint
RP121: 3/30/2009 5:21:50 PM - System Checkpoint
RP122: 3/31/2009 6:19:16 PM - System Checkpoint
RP123: 4/1/2009 6:46:46 PM - System Checkpoint
RP124: 4/2/2009 7:06:47 PM - System Checkpoint
RP125: 4/3/2009 9:10:07 PM - System Checkpoint
RP126: 4/5/2009 8:57:28 AM - System Checkpoint
RP127: 4/8/2009 6:47:15 PM - System Checkpoint
RP128: 4/9/2009 7:00:25 PM - System Checkpoint
RP129: 4/11/2009 11:44:05 AM - System Checkpoint
RP130: 4/12/2009 5:02:15 PM - System Checkpoint
RP131: 4/13/2009 5:29:15 PM - System Checkpoint
RP132: 4/15/2009 4:41:18 PM - Software Distribution Service 3.0
RP133: 4/17/2009 5:36:14 PM - System Checkpoint
RP134: 4/18/2009 9:56:42 PM - System Checkpoint
RP135: 4/20/2009 6:42:34 PM - System Checkpoint
RP136: 4/21/2009 7:57:08 PM - System Checkpoint
RP137: 4/23/2009 3:16:04 AM - System Checkpoint
RP138: 4/24/2009 7:43:16 AM - System Checkpoint
RP139: 4/25/2009 9:19:13 AM - System Checkpoint
RP140: 4/26/2009 11:01:11 AM - System Checkpoint
RP141: 4/27/2009 6:33:17 PM - System Checkpoint
RP142: 4/29/2009 10:31:26 AM - Software Distribution Service 3.0
RP143: 5/1/2009 1:31:53 PM - System Checkpoint
RP144: 5/3/2009 6:16:16 PM - System Checkpoint
RP145: 5/5/2009 4:45:43 PM - System Checkpoint
RP146: 5/7/2009 3:41:45 PM - System Checkpoint
RP147: 5/8/2009 9:40:05 PM - System Checkpoint
RP148: 5/10/2009 11:46:35 AM - System Checkpoint
RP149: 5/11/2009 5:25:38 PM - System Checkpoint
RP150: 5/11/2009 10:19:40 PM - Software Distribution Service 3.0
RP151: 5/15/2009 11:55:06 AM - Software Distribution Service 3.0
RP152: 5/16/2009 5:58:11 PM - System Checkpoint
RP153: 5/18/2009 8:38:10 AM - System Checkpoint
RP154: 5/19/2009 9:41:13 AM - System Checkpoint
RP155: 5/20/2009 5:55:45 PM - System Checkpoint
RP156: 5/22/2009 5:40:21 PM - System Checkpoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========

5/22/2009 5:48:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV Fips intelppm
5/22/2009 5:40:13 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/22/2009 5:37:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/22/2009 5:31:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/22/2009 1:15:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
5/22/2009 1:15:45 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2009 1:15:45 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2009 1:15:45 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2009 1:15:45 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/22/2009 1:15:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/22/2009 1:15:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/18/2009 7:38:44 AM, error: NETLOGON [5719] - No Domain Controller is available for domain PIKE due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

Edited by Maurice Naggar, 24 May 2009 - 12:12 AM.


BC AdBot (Login to Remove)

 


#2 Igotproblems

Igotproblems
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 23 May 2009 - 05:15 PM

I'm sorry, I forgot to also post a hijackthis log.

Here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:27 PM, on 5/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\StkSrv2K.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
C:\OfficeScan NT\tmlisten.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\LZ24A6.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hawking\Common\RaUI.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
c:\windows\ld08.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\sysguard.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\DOCUME~1\ADMINI~1.PIK\LOCALS~1\Temp\Temporary Directory 4 for HiJackThis.zip\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070419
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070419
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: (no name) - {06286304-CCC7-432B-89E1-F9805567B82f} - C:\WINDOWS\system32\mkutsaci.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {427E665C-1D32-4225-B8CE-E58769CB8680} - c:\windows\system32\ejuvqbh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: BHO - {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SolidWorks_CheckForUpdates] "C:\Program Files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" /scheduler
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-21-1417001333-920026266-839522115-1122\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User '?')
O4 - HKUS\S-1-5-21-1417001333-920026266-839522115-1122\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-2688159605-679704367-929632295-1008\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe (User 'kent')
O4 - HKUS\S-1-5-21-2688159605-679704367-929632295-1008\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'kent')
O4 - S-1-5-21-1417001333-920026266-839522115-1122 Startup: .lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe (User '?')
O4 - S-1-5-21-1417001333-920026266-839522115-1122 Startup: SolidWorks Task Scheduler Engine.lnk = C:\Program Files\SolidWorks\swScheduler\swBOEngine.exe (User '?')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Program Files\Hawking\Common\RaUI.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pike.local
O17 - HKLM\Software\..\Telephony: DomainName = pike.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pike.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pike.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = pike.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jkpoftqo - C:\WINDOWS\SYSTEM32\ejuvqbh.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: Syntek DC-112X Service (StkSSrv) - Syntek America Inc. - C:\WINDOWS\System32\StkSrv2K.exe
O23 - Service: NTRU Hybrid TSS v2.0.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.25\bin\tcsd_win32.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11786 bytes

Edited by Maurice Naggar, 24 May 2009 - 12:14 AM.
Removed code block ~ for readability


#3 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:41 AM

Posted 24 May 2009 - 12:39 AM

Hello Igotproblems and welcome to BC forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for this member only. If you are a casual observer, do NOT try this on your system!


If at any point, if you have a question or problem, STOP & make a post to the forum.
Also, do not run or start any other programs while these utilities and tools are in use!

Please do NOT run any other tools on your own or do any fixes other than what is listed here.

=

Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

=

Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

You had placed, or more likely ran Hijackthis straight away from download. This had the hijackthis.exe in a temporary location, which now has been cleaned out. Hijackthis must be re-downloaded and SAVED to your system ! do NOT choose to "run" it when the download first starts.

Download the latest version of HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.



Close all browsers and all other programs that you have started.

Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {06286304-CCC7-432B-89E1-F9805567B82f} - C:\WINDOWS\system32\mkutsaci.dll

O2 - BHO: (no name) - {427E665C-1D32-4225-B8CE-E58769CB8680} - c:\windows\system32\ejuvqbh.dll

O2 - BHO: BHO - {BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} - C:\WINDOWS\system32\iehelper.dll

O4 - HKLM\..\Run: [sysldtray] c:\windows\ld08.exe

O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe

O20 - Winlogon Notify: jkpoftqo - C:\WINDOWS\SYSTEM32\ejuvqbh.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Next, Download and SAVE this file -- to your Desktop -- (Do NOT run the file straight away from download) from any one of these sources:
Link 1
Link 2
Link 3

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines:
KILLALL::

File::
c:\windows\sysguard.exe
C:\WINDOWS\system32\cpnprt2.cid
c:\windows\system32\sdra64.exe
C:\WINDOWS\system32\iehelper.dll
c:\windows\ld08.exe

Folder::
C:\recycler
D:\recycler
e:\recycler
f:\recycler
g:\recycler
h:\recycler

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown:
Posted Image
  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Do not run ComboFix more than once :!:

=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.
  • Create a brand new folder to copy these files to.
  • As an example: C:\DCE
  • Then open each of the zipped archive files and copy their contents to C:\DCE
  • Copy the file sysclean.com to the new folder C:\DCE as well.
  • Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.

    After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.
How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=
Once Complete, reboot! :!:

Get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm

Steps to follow for the MVP Hosts file:
1) Download and SAVE the zip file to a temporary folder
2) Unzip (extract the contents) in the same folder
3) After extract is complete, run mvps.bat batch file. This copies your pre-existing Hosts file to Hosts.mvp in the folder where Windows' Hosts resides
typically, C:\WINDOWS\system32\drivers\etc

and after that copy is saved, it replaces the old Hosts with the new one.

And you should see (in the blue background command window) the following:

_________________________________________________
¦ +---+¦
¦ THE MVPS HOSTS FILE IS NOW UPDATED ¦ v ¦¦
¦ +---+¦
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Previous version saved and renamed to HOSTS.MVP
Press any key to continue . . .


Find the folder where you saved the original download. Delete hosts.zip and a file folder there named hosts
The latter is the same folder that had mvps.bat
=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
Posted ImageIt's very important that you be using the most recent version (v2.416 as of this post).

2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFruadfix.exe file. It will create a folder named SmitfraudFix) on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you were infected
RE-Enable your AntiVirus and AntiSpyware applications.

Run Hijackthis
Then close all windows/applications/browsers and run hijackthis, saving the log.

After following the above, post back with 1. Contents of C:\Combofix.txt;
2. the Sysclean log
3. C:\rapport.txt
4. New Hijackthis log;
5. Tell me, How is your system now ?
Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do not use the attachment feature to place any of your reports. Always put them in-line inside the body of reply.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users