Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PopUp Ads


  • This topic is locked This topic is locked
18 replies to this topic

#1 theo4

theo4

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 29 May 2009 - 06:44 AM

The McAfee AV scan programme has been blocked from working though an update was allowed to perform. Since the downloading of Limewire the internet has become slower and there are ads that pop up all the time labelled Conceptads. When I look at my history there are a lot more sites that I have apparently visited but these have not been entered by me nor have they necessarily appeared. Thank you very much for you time and help.


DDS (Ver_09-05-14.01) - NTFSx86
Run by 041413 at 12:27:09.43 on 29/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.342 [GMT 1:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\System32\TpScrLk.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\PROGRA~1\THINKV~1\AMSG\Amsg.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Quickres\QKRES2K.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\041413\Local Settings\Temporary Internet Files\Content.IE5\WT2Z4T6F\dds[1].scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer provided by Virgin Atlantic Airways
uStart Page = hxxp://intranet.vaa.vtg/
mDefault_Page_URL = hxxp://intranet.vaa.vtg
uInternet Settings,ProxyOverride = *.VTG;10.*.*.*;*.vtg.local;SVAA*;194.100.100.1;204.26.248.*;204.26.249.*;192.168.*.*;*ebusiness.virgin-atlantic.com;ebus*.virgin-atlantic.com;195.6.25.194;https://services.airbusworld.com;*.2vshares.com;*.vsshares.com;172.30.84.83;https://pass.virgin-atlantic.com;10.20.7.81;<local>
uInternet Settings,ProxyServer = 127.0.0.1:80
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - c:\program files\winamp toolbar\winamptb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: blueskyadagency: {670b520c-3f08-4d72-94a5-047740c07766} - c:\windows\system32\nss1BA.dll
BHO: TBSB05288 Class: {6714adbd-c6c1-42a8-bd84-9c9339059421} - c:\program files\ietoolbar\eco bar\ecobar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: blueskyadagency browser enhancer: {78f9a905-789c-d4b1-d5d6-336920981691} - c:\windows\system32\gchnamepziopknko.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: ECO Bar: {10000000-1000-1000-1000-100000000000} - c:\program files\ietoolbar\eco bar\ecobar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [VnrBlock21] "c:\program files\vnrblock\VnrBlock21.exe"
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [TPKBDLED] c:\windows\system32\TpScrLk.exe
mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe
mRun: [TP4EX] tp4ex.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
mRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXE
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [AMSG] c:\progra~1\thinkv~1\amsg\Amsg.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [UniPrint] c:\progra~1\uniprint\client\SetDfltSettings.exe
mRun: [PDDM] c:\program files\patchlink\update agent\pddm.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Apple_KbdMgr] c:\program files\boot camp\KbdMgr.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [amnrdacemszalq] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\gchnamepziopknko.dll"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\041413\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickres.lnk - c:\program files\quickres\QKRES2K.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoPropertiesMyDocuments = 1 (0x1)
uPolicies-explorer: NoPropertiesMyComputer = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: RestrictCpl = 1 (0x1)
uPolicies-disallowrun: 1 = gmt.exe
uPolicies-disallowrun: 2 = hbinst.exe
uPolicies-disallowrun: 3 = hbsrv.exe
uPolicies-disallowrun: 4 = mwsoemon.exe
uPolicies-disallowrun: 5 = save.exe
uPolicies-disallowrun: 6 = soundmx.exe
uPolicies-disallowrun: 7 = swebexec.exe
uPolicies-disallowrun: 8 = weatherontray.exe
uPolicies-disallowrun: 9 = webshotstray.exe
uPolicies-system: NoDispSettingsPage = 1 (0x1)
uPolicies-system: DisableRegistryTools = 2 (0x2)
mPolicies-system: LogonType = 0 (0x0)
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\PkgMgr.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: 81.201.138.81
Trusted Zone: airnav
Trusted Zone: cibt.com\uk
Trusted Zone: datalex.com
Trusted Zone: doxzoneportal.com\www
Trusted Zone: dozzoneportal.com\www
Trusted Zone: eman
Trusted Zone: uk.vtg
Trusted Zone: vaa.vtg
Trusted Zone: virgin-atlantic.com
Trusted Zone: virgin-atlantic.com\connect
Trusted Zone: virgin-atlantic.com\pass
Trusted Zone: virgin-atlantic.com\www
Trusted Zone: virgin.com\egap.fly
Trusted Zone: virgin.com\thirdparty.fly
Trusted Zone: virginatlantic.com
Trusted Zone: vtg.local\*.vaa
Trusted Zone: worldspan.com
Trusted Zone: wsspan.com
Trusted Zone: airnav
Trusted Zone: cibt.com\uk
Trusted Zone: datalex.com
Trusted Zone: doxzoneportal.com\www
Trusted Zone: dozzoneportal.com\www
Trusted Zone: eman
Trusted Zone: uk.vtg
Trusted Zone: vaa.vtg
Trusted Zone: virgin-atlantic.com
Trusted Zone: virgin-atlantic.com\connect
Trusted Zone: virgin-atlantic.com\www
Trusted Zone: virgin.com\egap.fly
Trusted Zone: virgin.com\thirdparty.fly
Trusted Zone: virginatlantic.com
Trusted Zone: vtg.local\*.vaa
Trusted Zone: worldspan.com
Trusted Zone: wsspan.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: ACNotify - ACNotify.dll
Notify: AwayNotify - c:\program files\lenovo\awaytask\AwayNotify.dll
Notify: igfxcui - igfxdev.dll
Notify: tpfnf2 - notifyf2.dll
Notify: tphotkey - tphklock.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-8-30 85760]
R1 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2006-8-30 11520]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.sys [2006-8-30 6016]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-5-12 31816]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-8-30 4736]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [2006-8-30 4442]
R2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2007-10-8 140592]
R2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2007-10-8 99632]
R2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2007-10-8 4864]
R2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2007-10-8 6528]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2006-8-30 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-5-12 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-5-12 54608]
R2 radexecd;Radia Notify Daemon;c:\program files\novadigm\radexecd.exe [2002-12-2 196608]
R2 radsched;Radia Scheduler Daemon;c:\program files\novadigm\radsched.exe [2002-9-30 200704]
R2 Radstgms;Radia MSI Redirector;c:\program files\novadigm\Radstgms.exe [2003-3-27 303104]
R2 whlva;Whale Network Connector;c:\windows\system32\drivers\whlva.sys [2009-3-5 13312]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-3-5 72936]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-3-5 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-3-5 174952]
S2 LogWatch;Event Log Watch;c:\windows\logwatnt.exe --> c:\windows\LogWatNT.exe [?]
S3 ControlITService;ControlIT;&P(D0100A005CEE_74D5BCB2)\CtrITService.exe --> &P(D0100A005CEE_74D5BCB2)\CtrITService.exe [?]

=============== Created Last 30 ================

2009-05-29 10:58 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-05-29 10:46 3,426,962 a------- c:\windows\userguide.pdf
2009-05-28 15:27 <DIR> --d----- c:\windows\system32\LogFiles
2009-05-25 01:05 <DIR> --d----- c:\program files\QuickTorrentMaker
2009-05-24 20:46 85,654 a------- c:\windows\system32\c64c4ad1-507e-f01b-054b-9a3954e494bd.exe
2009-05-24 20:46 <DIR> --d----- c:\program files\VnrBlock
2009-05-24 20:46 <DIR> --d----- c:\program files\iCheck
2009-05-24 20:46 197,185 a------- c:\windows\tvilp4467.exe
2009-05-24 20:46 <DIR> --d----- c:\program files\IEToolbar
2009-05-24 20:46 905,670 a------- c:\windows\itqot3757.exe
2009-05-24 20:46 48,287 a------- c:\windows\system32\wskuofzpxkxdb.exe
2009-05-24 20:46 69,697 a------- c:\windows\tutvo5143.exe
2009-05-24 20:46 <DIR> --d----- c:\program files\runit
2009-05-24 20:46 208,038 a------- c:\windows\hsep60037.exe
2009-05-23 08:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Winamp Toolbar
2009-05-23 08:16 <DIR> --d----- c:\program files\Winamp Toolbar
2009-05-23 07:22 <DIR> --d----- c:\program files\DivX
2009-05-23 06:22 131,072 a------- c:\windows\system32\dzip32.dll
2009-05-23 06:22 110,592 a------- c:\windows\system32\dunzip32.dll
2009-05-23 06:22 <DIR> --d----- c:\program files\Windows Media Bonus Pack for Windows XP
2009-05-12 11:04 393,728 a------- c:\windows\system32\gchnamepziopknko.dll
2009-05-12 02:12 <DIR> --d----- c:\docume~1\041413\applic~1\LimeWire
2009-05-12 02:11 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-12 02:11 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-12 02:10 <DIR> --d----- c:\program files\LimeWire
2009-05-11 04:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-05-11 04:57 <DIR> --d----- c:\program files\common files\AVSMedia
2009-05-11 04:57 <DIR> --d----- c:\program files\AVS4YOU

==================== Find3M ====================

2009-04-15 21:25 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-04-13 17:54 686,592 a------- c:\windows\system32\nss1BA.dll
2009-03-28 01:35 315,392 a------- c:\windows\HideWin.exe
2009-03-13 14:22 112,976 a------- c:\windows\hpoins07.dat
2009-03-05 15:42 42,277 a------- c:\windows\system32\WhlLSPBackup_3.reg
2009-03-05 15:42 1,629 a------- c:\windows\system32\WhlNSPBackup_3.reg
2009-03-03 10:03 167,936 a------- c:\windows\RUNASP.EXE
2009-03-03 10:03 20,480 a------- c:\windows\CHANGEPAPER.EXE

============= FINISH: 12:31:12.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 29 May 2009 - 08:33 AM

Hello, theo4.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 31 May 2009 - 04:32 AM

Hello theo4
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 AM

Posted 02 June 2009 - 06:02 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:35 AM

Posted 02 June 2009 - 01:09 PM

Topic reopened :thumbup2:
Posted Image

#6 theo4

theo4
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 03 June 2009 - 07:46 AM

Your assistance is much appreciated Baabouiz, aommaster. :thumbup2:

Please find attached the logs as requested.

Regards,

Theo

Attached Files

  • Attached File  info.txt   28.73KB   18 downloads
  • Attached File  log.txt   37.31KB   5 downloads

Edited by theo4, 03 June 2009 - 07:51 AM.


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 03 June 2009 - 08:52 AM

Hi :thumbup2:

Glad to help out. In the future when posting your logs, please copy and paste them into your topic rather than attaching them. It makes it easier for us to read :)

Please give me a while to take a look at your logs and I'll get back to you as soon as possible.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 03 June 2009 - 12:43 PM

Hi :thumbup2:

Okay, so I've taken a look at your logs, and they seem to indicate that the computer that you're using is a workplace computer. I'd like to make sure of a couple of things before we commence with the fix:
1. Do you have administrator privelliges on this computer?
2. Is this a workspace computer?
2. Some aspects of the fix will involve invasive steps (steps which involve deleting system files, etc.). I'd like to make sure whether you have permission to perform such actions (from your boss/company) on the PC.

Let me know :)

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 theo4

theo4
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 04 June 2009 - 08:04 AM

Hi aommaster,

Yes this is a workplace laptop and I do not have administrator privleges.

I am working remotely and I haven't been to base where I would normally synchronise. I don't expect to go back to base for another week or so. I do have the option of having the IT dept at base to have a look at the problem but wanted to resolve the problem myself if possible in order to restore the working order sooner rather than later. and avoid their involvement.

What do you recommend? :thumbup2:

Many thanks.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 05 June 2009 - 06:14 AM

Hello, theo4.
Since you'd like to fix your computer, I don't mind taking a stab at it :)

Let the fun begin :thumbup2:

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

NEXT:

We need to execute an OTMoveIt3 script
Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the OTMoveIt3 icon on your desktop.
  • Paste the following code under the Paste Instructions for Items to be Moved area. Do not include the word "Code".
    :Files
    C:\WINDOWS\system32\nss1BA.dll
    C:\WINDOWS\system32\gchnamepziopknko.dll
    C:\WINDOWS\system32\c64c4ad1-507e-f01b-054b-9a3954e494bd.exe
    C:\WINDOWS\tvilp4467.exe
    C:\WINDOWS\itqot3757.exe
    C:\WINDOWS\tutvo5143.exe
    C:\WINDOWS\hsep60037.exe
    C:\Program Files\VnrBlock
  • Push the large MoveIt! button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Results line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

NEXT:



Run HijackThis.
Click on Do a system scan only.
Place a checkmark next to these lines (if still present).


O2 - BHO: blueskyadagency - {670b520c-3f08-4d72-94a5-047740c07766} - C:\WINDOWS\system32\nss1BA.dll
O2 - BHO: blueskyadagency browser enhancer - {78F9A905-789C-D4B1-D5D6-336920981691} - C:\WINDOWS\system32\gchnamepziopknko.dll
O4 - HKLM\..\Run: [amnrdacemszalq] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\gchnamepziopknko.dll"
O4 - HKCU\..\Run: [VnrBlock21] "C:\Program Files\VnrBlock\VnrBlock21.exe"
O23 - Service: ControlIT (ControlITService) - Unknown owner - &P(D0100A005CEE_74D5BCB2)\CtrITService.exe (file missing)


Then close all windows except HijackThis and click Fix Checked.

Restart



NEXT:

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..


NEXT:

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • OTMoveIt Log
  • RSIT Log
  • Description of any remaining problems
  • gmer.txt
  • Kaspersky Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 08 June 2009 - 04:14 AM

Hello theo4
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 theo4

theo4
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 08 June 2009 - 09:44 AM

thanks aommaster, just got access to a computer after being away at a weekend. I will get back to you later today after performing the functions you suggested. Once again, many thanks for your time. :thumbup2:

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 08 June 2009 - 09:49 AM

Hi!

Not a problem at all :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 theo4

theo4
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:35 PM

Posted 08 June 2009 - 10:44 AM

Hi aommaster, I am having trouble downloading the OTMoveIt3 file. I have tried going to geekstogo.com site but it isnt listed as a download. theo

#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:35 AM

Posted 08 June 2009 - 10:57 AM

Hi!

Yeah, the software writer apparently changed the name of the program.

This link should work:
Clicky!

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users