Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCAntiMalware Trojan......need help removing


  • This topic is locked This topic is locked
4 replies to this topic

#1 HPJ

HPJ

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 24 May 2009 - 10:38 PM

Hello all, once again I seek the help of this forum. I have had excellent help in the couple of times I have needed it before here, thus why I am returning. Before we start, I'd like to go ahead and thank any and everyone for their help.

I have been hit with the PCAntiMalware virus/trojan. Its pretty dang annoying, not only because my computer is running REALLY slow since its infection, but also because of the annoying popups and warnings it creates and uses to try to get you to buy their malware removal program.

There are generally (so far) two types of popups for "malware warnings" that I am getting. One is just a generic window that pops up in the center of the screen. It informs me that I might have malware, and the only way to get rid of this window is by clicking 'download and install removal program now" button, then canceling installation. The other popup that has been happening the last day, is a full screen lockup: I'll either get a burgundy colored screen (whole screen) with a warning for malware, or there is actually a blue screen with MSDOS style font.....almost like the screen of death when a HD poops. Both only last 10 seconds or so, and then it just prompts to DL their software to remove the problem.

One other key........down on the toolbar on the bottom right (by the clock), every now and then a shield similar to a Windows update icon will appear....and a 'bubble' will popup telling me I might be infected. :thumbup2:

I've updated and tried Spybot. I have updated and tried Malwarebytes. I even performed a quick scan and a full scan with Malwarebytes. And I tried Symantec as well. I am out of options for what I have. And again, any help is greatly appreciated!

DDS c/p.....

DDS (Ver_09-05-14.01) - NTFSx86
Run by Darren at 23:22:09.14 on Sun 05/24/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM\aim.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - No File
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{f58ff278-2198-403b-9170-c95022a194c6}
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\darren\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\darren\startm~1\programs\startup\132642~2.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\132642~2.lnk - c:\windows\system32\rundll32.exe
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax65.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/html - {ae4ef06c-ecd9-4366-858e-82fa2f8b11aa} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darren\applic~1\mozilla\firefox\profiles\2r81oqgu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\darren\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: XUL Cache: {5E585E72-4DF0-4A9F-9856-3FA89CABDE68} - c:\documents and settings\darren\local settings\application data\{5E585E72-4DF0-4A9F-9856-3FA89CABDE68}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\naveng.sys [2009-5-10 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\navex15.sys [2009-5-10 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [2006-9-4 128286]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-24 09:27 <DIR> --d----- c:\program files\Zango
2009-05-24 09:27 <DIR> --d----- c:\program files\SPYSPOTTER3
2009-05-24 09:27 <DIR> --d----- c:\program files\SpyFalcon
2009-05-24 09:27 <DIR> --d----- c:\program files\RapidBlaster
2009-05-24 09:27 <DIR> --d----- c:\program files\navisearch
2009-05-24 09:27 <DIR> --d----- c:\program files\MyWebSearch
2009-05-24 09:27 <DIR> --d----- c:\program files\Antispyware 2008
2009-05-22 22:03 90 a------- c:\windows\wininit.ini
2009-05-22 20:05 76,800 a------- c:\windows\system32\1326422c29c3dda508e0bae1d1d0e95a.21.dll
2009-05-22 00:25 <DIR> --d----- c:\program files\wink
2009-05-22 00:25 <DIR> --d----- c:\program files\WildTangent
2009-05-22 00:25 <DIR> --d----- c:\program files\webrebates4
2009-05-22 00:25 <DIR> --d----- c:\program files\Topsearch
2009-05-22 00:25 <DIR> --d----- c:\program files\System Files
2009-05-22 00:25 <DIR> --d----- c:\program files\SpywareQuake
2009-05-22 00:25 <DIR> --d----- c:\program files\SPYSPOTTER
2009-05-22 00:25 <DIR> --d----- c:\program files\mrea
2009-05-22 00:25 <DIR> --d----- c:\program files\MediaPipe
2009-05-22 00:25 <DIR> --d----- c:\program files\Kontiki
2009-05-22 00:25 <DIR> --d----- c:\program files\ItBill
2009-05-22 00:25 <DIR> --d----- c:\program files\casinoonline
2009-05-22 00:25 <DIR> --d----- c:\program files\BackWeb
2009-05-22 00:25 <DIR> --d----- c:\program files\apsi
2009-04-26 21:38 <DIR> --d----- c:\docume~1\darren\applic~1\Any Video Converter
2009-04-26 21:38 <DIR> --d----- c:\program files\Any Video Converter

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 10:23 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-24 15:34 90,112 a------- c:\windows\system32\dpl100.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-02-24 15:34 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-02-24 15:34 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-02-24 15:34 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-02-24 15:34 684,032 a------- c:\windows\system32\DivX.dll
2009-02-16 19:13 17,920 ac------ c:\docume~1\darren\applic~1\GDIPFONTCACHEV1.DAT
2008-11-20 22:11 12 -c--h--- c:\docume~1\alluse~1\applic~1\MSComCtl256.dll
2008-03-02 23:12 10 -c--h--- c:\docume~1\alluse~1\applic~1\MSidCtl240.dll
2007-12-07 12:49 10,357,640 ac------ c:\program files\digitalmediaconverter.exe
2007-10-15 21:29 5,420,478 ac------ c:\program files\Noise Ninja Plug-in v2.1.3 For Photoshop.rar
2007-03-08 19:06 1,181,812 ac------ c:\program files\flvplayer_setup.exe
2007-02-13 21:55 3,297,436 ac------ c:\program files\bpftpclient_install.exe
2006-09-11 18:32 133,265,728 ac------ c:\program files\Nero-7.2.7.0_eng.exe
2006-09-11 00:45 208,763,456 ac------ c:\program files\CanonEOS61W.7z
2006-09-11 00:33 545,435,648 ac------ c:\program files\CanonEOS61W.iso
2006-09-10 23:05 836,783 ac------ c:\program files\7z442.exe
2006-09-10 23:04 30,987,944 ac------ c:\program files\Canon Zoombrowser.exe
2006-09-10 22:33 3,927,747 ac------ c:\program files\FVU121UPD_OSX_E.sit
2006-09-05 21:28 16,824 ac------ c:\program files\fxif.xpi
2006-09-05 20:22 761,621 ac------ c:\program files\DeadAIM.exe
2006-09-05 20:06 24,931,776 ac------ c:\program files\AUD_ALL32_5.12.1.5240_PV2.EXE
2006-02-06 09:21 917 ac------ c:\program files\Update Checker.ini
2004-01-26 16:25 225,280 ac------ c:\program files\Update Installer.exe

============= FINISH: 23:23:05.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 07 June 2009 - 02:35 PM

Hello and :thumbup2: to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.

-----------------------------------------------------------

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:)

#3 HPJ

HPJ
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:55 PM

Posted 11 June 2009 - 09:51 PM

Here are the new DDS reports.

Fwiw, I am no longer getting the prompts to DL the spyware removing software. However, my computer is still slow in almost every operation.....just the same as when this trojan took over.

Thanks!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Darren at 22:49:11.48 on Thu 06/11/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.357 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Darren\Desktop\dds (1).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {58472bc6-bea3-42d4-8917-7a8bcb0711b5} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
{f58ff278-2198-403b-9170-c95022a194c6}
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\darren\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [1326422c29c3dda508e0bae1d1d0e95a.31] c:\windows\system32\rundll32.exe "c:\windows\system32\1326422c29c3dda508e0bae1d1d0e95a.31.dll", start2 aff_id=1=wm_id=0
uRun: [1326422c29c3dda508e0bae1d1d0e95a.21] c:\windows\system32\rundll32.exe "c:\windows\system32\1326422c29c3dda508e0bae1d1d0e95a.21.dll", start2 aff_id=1&wm_id=0
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [1326422c29c3dda508e0bae1d1d0e95a.31] c:\windows\system32\rundll32.exe "c:\windows\system32\1326422c29c3dda508e0bae1d1d0e95a.31.dll", start2 aff_id=1=wm_id=0
mRun: [1326422c29c3dda508e0bae1d1d0e95a.21] c:\windows\system32\rundll32.exe "c:\windows\system32\1326422c29c3dda508e0bae1d1d0e95a.21.dll", start2 aff_id=1&wm_id=0
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\darren\startm~1\programs\startup\132642~2.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\darren\startm~1\programs\startup\132642~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\132642~2.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\132642~1.lnk - c:\windows\system32\rundll32.exe
IE: &eBay Search - c:\program files\ebay\ebay toolbar2\eBayTb.dll/RCSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax65.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_18-windows-i586.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/html - {ae4ef06c-ecd9-4366-858e-82fa2f8b11aa} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darren\applic~1\mozilla\firefox\profiles\2r81oqgu.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\darren\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: XUL Cache: {5E585E72-4DF0-4A9F-9856-3FA89CABDE68} - c:\documents and settings\darren\local settings\application data\{5E585E72-4DF0-4A9F-9856-3FA89CABDE68}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090610.002\naveng.sys [2009-6-11 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090610.002\navex15.sys [2009-6-11 876144]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [2006-9-4 128286]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-24 09:27 <DIR> --d----- c:\program files\Zango
2009-05-24 09:27 <DIR> --d----- c:\program files\SPYSPOTTER3
2009-05-24 09:27 <DIR> --d----- c:\program files\SpyFalcon
2009-05-24 09:27 <DIR> --d----- c:\program files\RapidBlaster
2009-05-24 09:27 <DIR> --d----- c:\program files\navisearch
2009-05-24 09:27 <DIR> --d----- c:\program files\MyWebSearch
2009-05-24 09:27 <DIR> --d----- c:\program files\Antispyware 2008
2009-05-22 22:03 90 a------- c:\windows\wininit.ini
2009-05-22 00:25 <DIR> --d----- c:\program files\wink
2009-05-22 00:25 <DIR> --d----- c:\program files\WildTangent
2009-05-22 00:25 <DIR> --d----- c:\program files\webrebates4
2009-05-22 00:25 <DIR> --d----- c:\program files\Topsearch
2009-05-22 00:25 <DIR> --d----- c:\program files\System Files
2009-05-22 00:25 <DIR> --d----- c:\program files\SpywareQuake
2009-05-22 00:25 <DIR> --d----- c:\program files\SPYSPOTTER
2009-05-22 00:25 <DIR> --d----- c:\program files\mrea
2009-05-22 00:25 <DIR> --d----- c:\program files\MediaPipe
2009-05-22 00:25 <DIR> --d----- c:\program files\Kontiki
2009-05-22 00:25 <DIR> --d----- c:\program files\ItBill
2009-05-22 00:25 <DIR> --d----- c:\program files\casinoonline
2009-05-22 00:25 <DIR> --d----- c:\program files\BackWeb
2009-05-22 00:25 <DIR> --d----- c:\program files\apsi

==================== Find3M ====================

2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll
2009-04-29 00:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-29 00:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-29 10:23 499,712 a------- c:\windows\system32\msvcp71.dll
2009-02-16 19:13 17,920 ac------ c:\docume~1\darren\applic~1\GDIPFONTCACHEV1.DAT
2008-11-20 22:11 12 -c--h--- c:\docume~1\alluse~1\applic~1\MSComCtl256.dll
2008-03-02 23:12 10 -c--h--- c:\docume~1\alluse~1\applic~1\MSidCtl240.dll
2007-12-07 12:49 10,357,640 ac------ c:\program files\digitalmediaconverter.exe
2007-10-15 21:29 5,420,478 ac------ c:\program files\Noise Ninja Plug-in v2.1.3 For Photoshop.rar
2007-03-08 19:06 1,181,812 ac------ c:\program files\flvplayer_setup.exe
2007-02-13 21:55 3,297,436 ac------ c:\program files\bpftpclient_install.exe
2006-09-11 18:32 133,265,728 ac------ c:\program files\Nero-7.2.7.0_eng.exe
2006-09-11 00:45 208,763,456 ac------ c:\program files\CanonEOS61W.7z
2006-09-11 00:33 545,435,648 ac------ c:\program files\CanonEOS61W.iso
2006-09-10 23:05 836,783 ac------ c:\program files\7z442.exe
2006-09-10 23:04 30,987,944 ac------ c:\program files\Canon Zoombrowser.exe
2006-09-10 22:33 3,927,747 ac------ c:\program files\FVU121UPD_OSX_E.sit
2006-09-05 21:28 16,824 ac------ c:\program files\fxif.xpi
2006-09-05 20:22 761,621 ac------ c:\program files\DeadAIM.exe
2006-09-05 20:06 24,931,776 ac------ c:\program files\AUD_ALL32_5.12.1.5240_PV2.EXE
2006-02-06 09:21 917 ac------ c:\program files\Update Checker.ini
2004-01-26 16:25 225,280 ac------ c:\program files\Update Installer.exe

============= FINISH: 22:49:54.71 ===============

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:55 PM

Posted 14 June 2009 - 08:05 PM

Hello and welcome to Bleeping Computer.

My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I would
be grateful if you would note the following:
  • Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
  • If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
  • Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
  • If I do not hear back from you within 5 days of my last post, then this topic will be closed.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Next

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Please download GooredFix and save it to your Desktop

Please double-click Goored.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Next
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

Then please post back here with the following:
  • MBAM report
  • Goored.txt
  • log.txt
  • info.txt (Attach this)

unite.jpg


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:55 PM

Posted 19 June 2009 - 07:31 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users