Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/Trojan Disabling Browser Access


  • This topic is locked This topic is locked
12 replies to this topic

#1 deus_ex

deus_ex

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 30 May 2009 - 04:21 AM

I was browsing the internet through IE when suddenly my computer restarted. The shutdown process took longer than usual. When it restarted, a pop-up came up that appeared to be from Windows Firewall (Which I had disabled before due to unwanted interference with games). It told me that it had detected Win32.Brontok and, instead of the normal options, had only "Enable Protection" allowed as a response, with the other options grayed out. When I clicked on the window, my default explorer (Firefox) came up directed to a site at www.perfectdreview.com. I immediately disconnect my computer from my router and ran Spybot. While it was searching, the pop-up kept coming up. When Spybot was done, it had discovered 4 different items. The items that I can remember were Smitfraud-C.gp, a Zlob downloader, and a MicrosoftFireWallBypass. Thinking the last one was the pop-up, I reconnected to the router and started up IE. It immediately closed before loading the homepage, and the pop-up came up again. Once again, I disconnected the router and restarted the computer, booting it up in Safe Mode. There, both Spybot and AVG 7 were unable to find any threats. I restarted it again, this time not in Safe Mode, and as soon as it booted up, the pop-up appeared. I also tried opening up both IE and Firefox, but both would close immediately upon opening. I went back into safe mode, and Spybot found more items. I would very much appreciate any help getting rid of this thing before it cripples my computer completely.
Note: I am doing this from another computer, and so far I have had to transfer documents between this and the infected computer through a flash drive. Please keep this in mind when giving instructions. Also, I ran DDS.scr while the infected computer was in safe mode. If this was a problem, I can redo it.


DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by Ben at 3:57:00.56 on 05/30/2009 Sat
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.1014.724 [GMT -5:00]

AV: AVG 7.5.519 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
svchost
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Ben\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {382C8A97-BFEF-47B5-9770-87C4DE651E37} - No File
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - No File
TB: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [nah_Shell] c:\documents and settings\ben\nah_ppuy.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [realteks] "c:\documents and settings\ben\application data\google\uqrke8412012.exe" 2
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231268535031
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231268518906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\ygqt6sp4.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-11-29 10760]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-11-29 821856]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-11-29 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-11-29 27776]
S2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-11-29 4960]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S3 WUSB11;Instant Wireless USB Network Adapter ver.2.5 Driver;c:\windows\system32\drivers\LSWLUSB.sys [2002-5-28 54083]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-11-29 418816]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-11-29 49664]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-11-29 406528]

=============== Created Last 30 ================

2009-05-30 00:19 11,294 a------- c:\documents and settings\ben\nah_log.dat
2009-05-29 23:48 75,264 a------- c:\documents and settings\ben\nah_ppuy.exe
2009-05-10 14:57 <DIR> --d----- c:\windows\osu!
2009-05-10 14:57 <DIR> --d----- c:\program files\osu!
2009-05-09 01:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-05-01 00:31 73,728 a------- c:\windows\system32\nvtuicpl.cpl
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 20:07 20 ----hr-- c:\windows\wsysweb.dll

==================== Find3M ====================

2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-03-13 17:30 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-03-13 17:30 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-05-13 21:52 373 a------- c:\program files\wf.ini
2008-05-13 21:52 284 a------- c:\program files\wf.sco
2007-09-24 23:55 1,998,848 a------- c:\program files\colors.exe
2005-07-10 04:39 19,091 a------- c:\program files\readme_j.txt
2005-07-10 04:22 3,554 a------- c:\program files\readme.txt
2005-07-10 03:51 507,240 a------- c:\program files\data.bin
2005-07-10 03:51 430,080 a------- c:\program files\wf.exe

============= FINISH: 3:57:46.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:45 AM

Posted 10 June 2009 - 12:44 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 deus_ex

deus_ex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 10 June 2009 - 04:48 PM

Hi, just want to point out that this DDS log was taken while in normal mode, where the pop-up keeps appearing, whereas the one before was taken while the computer was in safe mode. If there are any big changes, that would be the reason why, as the computer has not been used since I posted the topic.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Ben at 16:24:33.48 on 06/10/2009 Wed
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.1014.610 [GMT -5:00]

AV: AVG 7.5.519 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Ben\Application Data\Google\uqrke8412012.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BHO: {abd45510-9b22-41cd-9acd-8182a2da7c63} - c:\windows\system32\iehelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {382C8A97-BFEF-47B5-9770-87C4DE651E37} - No File
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - No File
TB: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [nah_Shell] c:\documents and settings\ben\nah_ppuy.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [realteks] "c:\documents and settings\ben\application data\google\uqrke8412012.exe" 2
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231268535031
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231268518906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\ygqt6sp4.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-11-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-11-29 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-11-29 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-11-29 10760]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-11-29 4960]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S3 WUSB11;Instant Wireless USB Network Adapter ver.2.5 Driver;c:\windows\system32\drivers\LSWLUSB.sys [2002-5-28 54083]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-11-29 418816]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-11-29 49664]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-11-29 406528]

=============== Created Last 30 ================

2009-05-30 00:19 22,176 a------- c:\documents and settings\ben\nah_log.dat
2009-05-29 23:48 75,264 a------- c:\documents and settings\ben\nah_ppuy.exe

==================== Find3M ====================

2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2009-03-13 17:30 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-03-13 17:30 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-05-13 21:52 373 a------- c:\program files\wf.ini
2008-05-13 21:52 284 a------- c:\program files\wf.sco
2007-09-24 23:55 1,998,848 a------- c:\program files\colors.exe
2005-07-10 04:39 19,091 a------- c:\program files\readme_j.txt
2005-07-10 04:22 3,554 a------- c:\program files\readme.txt
2005-07-10 03:51 507,240 a------- c:\program files\data.bin
2005-07-10 03:51 430,080 a------- c:\program files\wf.exe

============= FINISH: 16:25:24.93 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 13 June 2009 - 09:00 PM

Hi deus_ex,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.


You have a number of infections.

Please download the following tools onto a clean removable device, remember to rename Combofix.

MBAM
Combofix


Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of this checked:
    • Update Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

    After plugging it into the infected PC...

  • Double-click mbam-rules.exe
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Then

Please download ComboFix from one of these locations:
  • Bleepingcomputer
  • ForoSpyware
  • GeeksToGo
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)

    After plugging it into the infected PC...

  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 deus_ex

deus_ex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 14 June 2009 - 01:12 AM

Well, some good news: I am typing this out from the computer in question! Also, no pop-ups! :thumbup2:

Just a heads up: 2 things...
1. When running ComboFix, it never prompted me to install Windows Recovery Console, and the log states near the top that it is not installed. Hopefully not a problem.
2. Also when running ComboFix, it kept telling me AVG 7.5 was running. I turned off every feature that could be turned off, I closed it out in the system tray, I even ended its process in Task Manager! Yet ComboFix kept telling me it was running. I went ahead with the scan, and as soon as this ordeal is over, I'm uninstalling AVG.

Here is the text of the MBAM log:

Malwarebytes' Anti-Malware 1.37
Database version: 2273
Windows 5.1.2600 Service Pack 2

6/14/2009 12:27:02 AM
mbam-log-2009-06-14 (00-27-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 377401
Time elapsed: 1 hour(s), 59 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\Ben\Application Data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{abd45510-9b22-41cd-9acd-8182a2da7c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abd45510-9b22-41cd-9acd-8182a2da7c63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{05c08379-f723-4d23-ac60-69a07a43d107} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6f0e8f4b-964c-4b30-a199-d6f0251ac9d3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0e17a61-7aca-45e6-ac82-cc955b04805c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b4069f9d-db70-4166-8fb8-feb68e884876} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e9db7c76-04a0-4f32-8b57-a24eec0f6db9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd45510-9b22-41cd-9acd-8182a2da7c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hdtip.bxdm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Hanam) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{63f33b02-d553-45e2-98cc-862af58caa57}\RP401\A0139139.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\system volume information\_restore{63f33b02-d553-45e2-98cc-862af58caa57}\RP401\A0139222.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Ben\application data\Google\Shell32.dll (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\Ben\application data\Google\uqrke8412012.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Ben\nah_ppuy.exe (Trojan.Hanam) -> Quarantined and deleted successfully.





And here is the text of C:\Combofix.txt :

ComboFix 09-06-13.06 - Ben 4/2009 Sun 0:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.1014.623 [GMT -5:00]
Running from: c:\documents and settings\Ben\Desktop\Combo-Fix.exe
AV: AVG 7.5.519 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1114576msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1180018msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1245768msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1311542msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\131740msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\131744msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\131796msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1901418msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\1966954msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\197146msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\197160msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\197328msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\197428msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\197430msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\2163248msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\2228718msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\2490984msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\3211892msHTMLEdit.html
c:\documents and settings\Ben\Local Settings\Temporary Internet Files\917958msHTMLEdit.html
c:\documents and settings\Ben\nah_log.dat
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\nsprs.dll
c:\windows\system32\nuq7v34.dll
c:\windows\system32\prsgrc.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\wsysweb.dll
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-14 to 2009-06-14 )))))))))))))))))))))))))))))))
.

2009-06-14 05:57 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-06-14 05:57 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-06-14 03:09 . 2009-06-14 03:09 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
2009-06-14 03:09 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 03:09 . 2009-06-14 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 03:09 . 2009-06-14 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-14 03:09 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 07:19 . 2009-05-30 07:19 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-30 07:18 . 2009-05-30 07:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2009-05-30 07:13 . 2009-05-30 07:17 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-30 07:09 . 2009-05-30 08:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVG7
2009-05-30 04:48 . 2009-05-30 04:48 422 ----a-w- c:\documents and settings\Ben\Application Data\AgeOfBooty\socks1.exe
2009-05-30 04:48 . 2009-05-30 04:48 16141 ----a-w- c:\documents and settings\Ben\Application Data\Atari\lego.exe
2009-05-30 04:48 . 2009-05-30 04:48 145131 ----a-w- c:\documents and settings\Ben\Application Data\Apple Computer\nomad.exe
2009-05-30 04:48 . 2009-05-30 04:48 13221 ----a-w- c:\documents and settings\Ben\Application Data\Adobe\rengo.dll
2009-05-30 04:48 . 2009-05-30 04:48 11410 ----a-w- c:\documents and settings\Ben\Application Data\AVG7\msgdi.dll
2009-05-30 04:48 . 2009-05-30 04:48 11232 ----a-w- c:\documents and settings\Ben\Application Data\.ABC 3.01\shalom.exe
2009-05-30 04:48 . 2009-05-30 04:48 10121 ----a-w- c:\documents and settings\Ben\Application Data\Blender Foundation\kern.dll
2009-05-25 20:20 . 2009-05-25 20:20 390664 ----a-w- c:\documents and settings\Ben\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 05:31 . 2007-05-19 19:55 -------- d-----w- c:\program files\Steam
2009-05-30 07:02 . 2007-12-07 21:46 1 ----a-w- c:\documents and settings\Ben\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-30 07:02 . 2007-05-23 22:30 -------- d-----w- c:\documents and settings\Ben\Application Data\OpenOffice.org2
2009-05-30 06:19 . 2007-11-27 23:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-30 05:22 . 2007-11-29 22:33 -------- d-----w- c:\documents and settings\Ben\Application Data\AVG7
2009-05-30 05:01 . 2007-03-27 00:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-21 04:20 . 2008-05-25 21:01 -------- d-----w- c:\program files\BSW
2009-05-11 17:42 . 2008-02-14 00:06 -------- d-----w- c:\program files\SystemRequirementsLab
2009-05-10 22:05 . 2009-05-10 19:57 -------- d-----w- c:\program files\osu!
2009-05-09 21:22 . 2007-11-01 21:15 81 ----a-w- c:\windows\popcinfot.dat
2009-05-09 06:40 . 2009-05-09 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-05-06 02:29 . 2008-06-13 21:48 30 ----a-w- c:\windows\popcinfo.dat
2009-05-06 02:15 . 2009-04-28 06:06 -------- d-----w- c:\program files\PopCap Games
2009-05-04 23:42 . 2007-05-19 19:08 527 ----a-w- c:\windows\eReg.dat
2009-05-01 05:31 . 2009-05-01 05:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 05:31 . 2009-05-01 05:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 05:31 . 2009-05-01 05:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 05:31 . 2009-05-01 05:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 05:31 . 2009-05-01 05:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 05:31 . 2009-05-01 05:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 05:31 . 2009-05-01 05:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 03:02 . 2009-05-01 03:02 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 03:02 . 2009-05-01 03:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 03:02 . 2009-05-01 03:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 03:02 . 2008-05-16 16:25 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 03:02 . 2008-05-16 16:25 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 03:02 . 2008-05-16 16:25 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 03:02 . 2008-05-16 16:25 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 03:02 . 2008-05-16 16:25 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 03:02 . 2008-03-15 19:28 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-05-01 03:02 . 2004-08-04 07:56 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-05-01 03:02 . 2004-08-04 05:29 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 04:25 . 2009-04-30 04:24 -------- d-----w- c:\program files\HBTeam
2009-04-28 22:00 . 2009-04-28 21:58 -------- d-----w- c:\program files\SanktPetersburg
2009-04-28 21:15 . 2003-07-16 20:31 1025 ----a-w- c:\windows\system32\jkhnlsn.dll
2009-04-28 21:15 . 2003-07-16 20:31 1025 ----a-w- c:\windows\system32\grcauth2.dll
2009-04-28 21:15 . 2003-07-16 20:31 1025 ----a-w- c:\windows\system32\grcauth1.dll
2009-04-28 21:15 . 2003-07-16 20:31 1025 ----a-w- c:\windows\system32\clauth2.dll
2009-04-28 21:15 . 2003-07-16 20:31 1025 ----a-w- c:\windows\system32\clauth1.dll
2009-04-28 21:15 . 2009-04-28 21:15 -------- d-----w- c:\documents and settings\Ben\Application Data\Curl Corporation
2009-04-28 21:15 . 2009-04-28 21:15 -------- d-----w- c:\program files\Curl Corporation
2009-04-28 21:11 . 2009-04-28 21:11 -------- d-----w- c:\program files\Pluto Scarab Software
2009-04-28 06:06 . 2009-04-28 06:06 0 ----a-w- c:\windows\popcreg.dat
2009-04-27 05:42 . 2008-03-15 19:27 457248 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-04-27 03:32 . 2007-11-27 23:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 02:52 . 2008-05-01 20:58 373 ----a-w- c:\program files\wf.ini
2008-05-14 02:52 . 2008-05-01 20:58 284 ----a-w- c:\program files\wf.sco
2007-09-25 04:55 . 2008-05-01 21:33 1998848 ----a-w- c:\program files\colors.exe
2005-07-10 09:39 . 2005-07-10 08:52 19091 ----a-w- c:\program files\readme_j.txt
2005-07-10 09:22 . 2005-07-10 08:52 3554 ----a-w- c:\program files\readme.txt
2005-07-10 08:51 . 2005-07-10 08:52 507240 ----a-w- c:\program files\data.bin
2005-07-10 08:51 . 2005-07-10 08:52 430080 ----a-w- c:\program files\wf.exe
2008-12-31 05:52 . 2007-11-12 23:29 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-31 05:52 . 2007-11-12 23:29 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-31 05:52 . 2007-11-12 23:29 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-31 05:52 . 2007-11-12 23:29 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-31 05:52 . 2007-11-12 23:29 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6dfc55bb-bfff-485a-9709-90c3fdf6db58}]
2008-02-19 23:36 1555480 ----a-w- c:\program files\Wisdom-soft\tbWis1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-06-14 1217784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-15 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-29 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Instant Wireless Configuration Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Instant Wireless Configuration Utility.lnk
backup=c:\windows\pss\Instant Wireless Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"NVSvc"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"iPod Service"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Railroads!\\RailRoads.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForever.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\railroad tycoon 2 platinum\\RT2_PLAT.EXE"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\deus ex\\System\\DeusEx.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mevo and the grooveriders\\Mevo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\freedom force vs. the 3rd reich demo\\ffvt3rd.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\freedom force - demo\\fforce.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the maw\\TheMaw.exe"=

S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys --> c:\windows\system32\DRIVERS\EAPPkt.sys [?]
S3 WUSB11;Instant Wireless USB Network Adapter ver.2.5 Driver;c:\windows\system32\drivers\LSWLUSB.sys [5/28/2002 7:28 PM 54083]
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/home.php
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 00:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-507921405-725345543-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1292428093-507921405-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:e4,29,53,51,4b,77,46,21,a3,d0,d5,52,7c,34,1b,2f,9d,5f,4c,2b,07,
d1,0a,46,af,bc,1e,85,8a,34,97,71,ea,96,af,1b,69,dd,2b,e6,a6,e2,08,15,51,59,\
"rkeysecu"=hex:52,3d,f7,84,20,38,19,2c,3c,dd,7c,4f,35,11,c1,16
.
Completion time: 2009-06-14 1:00
ComboFix-quarantined-files.txt 2009-06-14 06:00

Pre-Run: 18,243,293,184 bytes free
Post-Run: 18,261,344,256 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
242 --- E O F --- 2008-09-08 02:04




I have also attached the same file, as your wording as to how to include it was a bit unclear.

Thank you so much for helping me! :)

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 14 June 2009 - 04:32 AM

Hi deus_ex,

Good news! :)

AVG is a good antivirus but there are other options which I will let you know in my final instructions.

We need to run an online scan to see if there's anything else around.

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.

Also


Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Close your browser.
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

If you are using Firefox and this has caused page loading problems then please clear your private data. To do this go
to the Tools menu, select Clear Private Data, and then check Cache. Click Clear Private Data Now.

Then close Firefox and then reopen it.

Let me know if there are any other problems with the PC too.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#7 deus_ex

deus_ex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 14 June 2009 - 06:43 PM

Hey, I did everything you asked, no problems came up.

I've attached the BitDefender log, because copying and pasting won't work with it.

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 14 June 2009 - 06:50 PM

Hey deus_ex,

BitDefender has done a nice job of cleaning up.

How is the PC acting now?

Please post a new DDS log and let me know of any other problems. :thumbup2:

Thanks
Posted Image
m0le is a proud member of UNITE

#9 deus_ex

deus_ex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 14 June 2009 - 09:36 PM

Hey, computer's running fine, possibly a bit better than before. Thank you for all your help! :thumbup2:

Here is the text of the new DDS.txt:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Ben at 21:32:56.96 on 06/14/2009 Sun
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.932.81.1033.18.1014.429 [GMT -5:00]

AV: AVG 7.5.519 *On-access scanning enabled* (Updated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ben\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - No File
TB: Wisdom-soft Toolbar: {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - c:\program files\wisdom-soft\tbWis1.dll
TB: {382C8A97-BFEF-47B5-9770-87C4DE651E37} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [RunNarrator] Narrator.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231268535031
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231268518906
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - hxxp://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ben\applic~1\mozilla\firefox\profiles\ygqt6sp4.default\
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-11-29 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-11-29 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-11-29 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-11-29 10760]
R2 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-11-29 4960]
S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
S3 WUSB11;Instant Wireless USB Network Adapter ver.2.5 Driver;c:\windows\system32\drivers\LSWLUSB.sys [2002-5-28 54083]
S4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-10-29 587096]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-11-29 418816]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-11-29 49664]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-11-29 406528]

=============== Created Last 30 ================

2009-06-14 18:35 20,317 a------- C:\BitDefenderLog.html
2009-06-14 00:57 50,176 ac------ c:\windows\system32\dllcache\proquota.exe
2009-06-14 00:57 50,176 a------- c:\windows\system32\proquota.exe
2009-06-14 00:42 161,792 a------- c:\windows\SWREG.exe
2009-06-14 00:42 155,136 a------- c:\windows\PEV.exe
2009-06-14 00:42 98,816 a------- c:\windows\sed.exe
2009-06-14 00:42 <DIR> --ds---- C:\Combo-Fix
2009-06-13 22:09 <DIR> --d----- c:\docume~1\ben\applic~1\Malwarebytes
2009-06-13 22:09 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-13 22:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-13 22:09 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-13 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 457,248 a------- c:\windows\system32\nvudisp.exe
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 a------- c:\windows\system32\NVUNINST.EXE
2008-05-13 21:52 373 a------- c:\program files\wf.ini
2008-05-13 21:52 284 a------- c:\program files\wf.sco
2007-09-24 23:55 1,998,848 a------- c:\program files\colors.exe
2005-07-10 04:39 19,091 a------- c:\program files\readme_j.txt
2005-07-10 04:22 3,554 a------- c:\program files\readme.txt
2005-07-10 03:51 507,240 a------- c:\program files\data.bin
2005-07-10 03:51 430,080 a------- c:\program files\wf.exe

============= FINISH: 21:33:45.92 ===============




Also attached is the Attach.txt.

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 15 June 2009 - 09:18 AM

Hi deus_ex,

That log is clean. :thumbup2:

There does seem to be problems with your copy of AVG so it may be better to uninstall it. I will be giving you a whole list of antivirus options later on.

Let's firstly do some housekeeping

Please reactivate your antivirus, antispyware and firewall programs.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
Here's a list of ways you can avoid problems in the future:

Use an AntiVirus Software

Your copy of AVG seems to be having problems.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Use a Firewall

I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer


That's it deus_ex, happy surfing!

Cheers,


m0le
Posted Image
m0le is a proud member of UNITE

#11 deus_ex

deus_ex
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 15 June 2009 - 04:31 PM

Hey, thanks for all your help so far. Just a few things, though:

1. I was unable to download the Java RE like you advised. The first two times I tried following your instructions, it could not complete the transaction. The next few times, it either took a few tries to load the pages or it sent me to other places, like one page where it asked for email and stuff. It seems this page is for subscribing to info about their Glassfish service, whatever that is. The next time I tried downloading, their Customer Service denied me the download without providing a reason.

EDIT: When I open the link you provided in a new tab, it takes me to that Glassfish page again randomly. The next time I did so, it took me to the proper page. What the heck?
UPDATE: Never mind, it's working now. Weird.

2. Was OTC supposed to delete the various links to the programs used in this process from my desktop? After running it, the OTC icon is gone, but not MBAM or ATF.

Once again, thanks!

Edited by deus_ex, 15 June 2009 - 09:20 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 20 June 2009 - 05:01 AM

Hi deus_ex,

Sorry, I missed your post.

1. I was unable to download the Java RE like you advised. The first two times I tried following your instructions, it could not complete the transaction. The next few times, it either took a few tries to load the pages or it sent me to other places, like one page where it asked for email and stuff. It seems this page is for subscribing to info about their Glassfish service, whatever that is. The next time I tried downloading, their Customer Service denied me the download without providing a reason.


You must update Java. Follow these instructions.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Was OTC supposed to delete the various links to the programs used in this process from my desktop? After running it, the OTC icon is gone, but not MBAM or ATF.


OTC removes certain programs which are only used for fixes. MBAM and ATF are good programs to keep so OTC leaves them on your computer.

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:45 AM

Posted 21 June 2009 - 03:54 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users