Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.DNS Changer?


  • This topic is locked This topic is locked
7 replies to this topic

#1 thelonious

thelonious

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 04 June 2009 - 10:11 PM

Symptoms:

100% CPU utilization
Google links go to funny, random places
NAV 2009 disabled
MBAM only runs if renamed
MBAM found Trojan.DNSChanger; says it killed it, but it apparently grew back even though Malwarebytes doesn't see it any more on 6/4.
Running Vista Home in safe mode circumvents CPU use problem, but DNS still fried.

Can you help?

Here is DDS:


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Dave at 21:48:17.74 on Thu 06/04/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3518.2886 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird 3 Beta 2\thunderbird.exe
C:\Users\Dave\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081112
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081112
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [MoneyBackgoundBanking] "c:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
uPolicies-explorer: TurnOffSPIAnimations = 1 (0x1)
uPolicies-explorer: AlwaysShowClassicMenu = 1 (0x1)
uPolicies-explorer: DisableThumbnailsOnNetworkFolders = 1 (0x1)
uPolicies-explorer: HideSCABattery = 1 (0x1)
uPolicies-explorer: TaskbarNoThumbnail = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: RestrictWelcomeCenter = 1 (0x1)
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: HideSCANetwork = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\flhx5se3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.newyorktimes.com
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-20 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-20 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-20 482352]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090528.001\IDSvix86.sys [2009-5-29 292912]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-20 115560]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1005000.086\symndisv.sys [2009-3-20 39984]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2008-1-20 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2008-1-20 251904]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-11-12 131616]

=============== Created Last 30 ================

2009-06-03 07:49 <DIR> -cd----- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 07:49 <DIR> -cd----- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-02 22:51 <DIR> -cd----- c:\users\dave\appdata\roaming\Malwarebytes
2009-06-02 22:48 40,160 ac------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-02 22:48 <DIR> -cd----- c:\programdata\Malwarebytes
2009-06-02 22:48 <DIR> -cd----- c:\progra~2\Malwarebytes
2009-06-02 22:48 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-06-02 22:48 <DIR> -cd----- c:\program files\Malwarebytes' Anti-Malware
2009-06-02 22:11 318,976 ac------ c:\windows\system32\CF29126.exe
2009-05-31 13:43 <DIR> -cd----- c:\program files\VideoTools
2009-05-28 22:06 <DIR> -cd----- C:\subtitles
2009-05-28 21:01 380,928 ac------ c:\windows\system32\ac3filter.acm
2009-05-28 21:01 <DIR> -cd----- c:\program files\AC3Filter
2009-05-17 21:44 442,368 ac------ c:\windows\system32\NVUNINST.EXE
2009-05-17 21:40 313,888 ac------ c:\windows\system32\nvexpbar.dll
2009-05-17 21:40 1,079,840 ac------ c:\windows\system32\nvcpluir.dll
2009-05-17 21:40 768,544 ac------ c:\windows\system32\nvcplui.exe
2009-05-17 21:40 420,384 ac------ c:\windows\system32\nvcpl.cpl
2009-05-17 21:40 37,888 ac------ c:\windows\system32\nvcodins.dll
2009-05-17 21:34 <DIR> -cd----- c:\program files\AMD
2009-05-17 21:26 319,456 ac------ c:\windows\DIFxAPI.dll
2009-05-17 21:25 520,192 ac------ c:\windows\RtlExUpd.dll
2009-05-17 21:25 315,392 ac------ c:\windows\HideWin.exe
2009-05-09 20:27 38,762 ac------ c:\windows\system32\folder.jpg
2009-05-09 13:25 <DIR> -cd----- c:\users\dave\appdata\roaming\AMPSoft
2009-05-09 13:24 <DIR> -cd----- c:\program files\AMP Font Viewer

==================== Find3M ====================

2009-05-20 21:55 86,016 a------- c:\windows\inf\infstrng.dat
2009-05-20 21:55 86,016 a------- c:\windows\inf\infstor.dat
2009-05-20 21:55 51,200 a------- c:\windows\inf\infpub.dat
2009-04-14 22:43 249,856 ac------ c:\windows\system32\pdfmona.dll
2009-04-14 22:43 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-03-21 13:23 8,653 ac------ c:\windows\mozver.dat
2009-03-21 13:23 118,784 ac------ c:\windows\GREUninstall.exe
2009-03-16 22:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 22:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 22:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-09 05:19 410,984 ac------ c:\windows\system32\deploytk.dll
2008-11-12 14:05 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 21:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 07:39 287,440 ac------ c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:39 287,440 ac------ c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:39 30,674 ac------ c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:39 30,674 ac------ c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 ac------ c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 ac------ c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 ac------ c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 ac------ c:\windows\inf\perflib\0000\perfc.dat
2008-12-26 02:48 16,384 ac-sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-26 02:48 32,768 ac-sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-26 02:48 16,384 ac-sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 21:48:32.26 ===============

MBAM log #1

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 6.0.6001 Service Pack 1

6/3/2009 12:32:37 AM
mbam-log-2009-06-03 (00-32-37).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168101
Time elapsed: 21 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 4
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoTools (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Program Files\PCenter\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4f5608e1-f00c-4e97-a9bf-d4d33fe1c6e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.69,85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4f5608e1-f00c-4e97-a9bf-d4d33fe1c6e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.69,85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d573b73e-f4a6-481a-a200-da04be03efc0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.69,85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4f5608e1-f00c-4e97-a9bf-d4d33fe1c6e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.69,85.255.112.209 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{4f5608e1-f00c-4e97-a9bf-d4d33fe1c6e7}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.69,85.255.112.209 -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\Dave\AppData\Roaming\PCenter (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\keys (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\temp (Rogue.PCenter) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Dave\downloads\Flash.Player.HD.v10.0.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\cg.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\mw.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\rd.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\sc.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\sm.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\dbases\sp.dat (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\keys\cg.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\keys\rd.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\keys\sc.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\keys\sp.key (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\temp\settings.ini (Rogue.PCenter) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\PCenter\temp\spfilter (Rogue.PCenter) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
c:\RECYCLER\S-5-7-72-100001017-100001136-100020905-3810.com (Trojan.Agent) -> Quarantined and deleted successfully.

MBAM log #2

Malwarebytes' Anti-Malware 1.37
Database version: 2220
Windows 6.0.6001 Service Pack 1

6/3/2009 7:30:38 AM
mbam-log-2009-06-03 (07-30-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 170384
Time elapsed: 21 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\videotools\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\Users\Dave\downloads\vidpl.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:47 AM

Posted 05 June 2009 - 05:30 AM

Hi thelonious,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Good job presenting the issue with the logs. It is the Trojan.DNSChanger and it is still there. The rootkit component is not removed yet. If the ComboFix didn't run rename it to thelonious.exe and run it.
  • I see the traces of Browser Address Error Redirector on the log. This is usually preinstalled on Dell computer without the consent of the user. You may uninstall via Add/Remove programs. If you decide to uninstall it also remove the following folder: C:\Program Files\BAE

  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 thelonious

thelonious
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 June 2009 - 11:22 AM

Thanks for your quick response, Farbar!

I'll remove BAE later if you think it contributes to my problem. Ran ComboFix. Here's the log. Machine seems ok, but will only know for sure after a little exercise and your clean bill of health.

Thanks again,

Thelonious

ComboFix 09-06-04.09 - Dave 06/05/2009 10:09.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.3518.2789 [GMT -5:00]
Running from: c:\users\Dave\Desktop\thelonious.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcfrdesxietebhmrmvpqcdvdfraiqpbcpq.sys
c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\gxvxctivukunrcmliokpxcxpbsojmrlxscyow.dll
c:\windows\system32\gxvxcwokrhbigttajdxoxtmtrbqicjtpmbfyp.dll
D:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))
.

2009-06-05 15:16 . 2009-06-05 15:17 -------- dc----w- c:\users\Dave\AppData\Local\temp
2009-06-05 15:16 . 2009-06-05 15:16 -------- dc----w- c:\users\Victor\AppData\Local\temp
2009-06-05 15:07 . 2009-06-05 15:17 -------- dcs---w- \thelonious
2009-06-05 15:05 . 2009-02-27 11:02 165240 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-05 02:07 . 2009-06-05 02:08 -------- dc----w- c:\program files\ERUNT
2009-06-03 12:49 . 2009-06-03 12:49 -------- dc----w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 03:51 . 2009-06-03 03:51 -------- dc----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2009-06-03 03:48 . 2009-05-26 18:20 40160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-03 03:48 . 2009-06-03 03:48 -------- dc----w- c:\programdata\Malwarebytes
2009-06-03 03:48 . 2009-06-03 03:50 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 03:48 . 2009-05-26 18:19 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-31 18:43 . 2009-06-03 12:30 -------- dc----w- c:\program files\VideoTools
2009-05-31 03:17 . 2009-05-31 03:19 -------- dc----w- c:\users\Victor\AppData\Local\Microsoft Games
2009-05-31 03:11 . 2009-05-31 03:11 49880 -c--a-w- c:\users\Victor\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-31 03:11 . 2009-05-31 03:11 -------- dc----w- c:\users\Victor\AppData\Local\SupportSoft
2009-05-30 00:59 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\Scxpx86.dll
2009-05-30 00:59 . 2009-01-29 21:50 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys
2009-05-30 00:59 . 2009-01-29 21:50 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys
2009-05-30 00:59 . 2009-01-29 21:50 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSxpx86.dll
2009-05-30 00:59 . 2009-01-29 21:50 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSviA64.sys
2009-05-29 03:06 . 2009-05-29 03:07 -------- dc----w- C:\subtitles
2009-05-29 03:06 . 2009-05-29 03:07 -------- dc----w- \subtitles
2009-05-29 02:16 . 2009-06-05 12:14 -------- dc----w- c:\program files\Gabest
2009-05-29 02:01 . 2009-05-29 02:01 -------- dc----w- c:\program files\AC3Filter
2009-05-20 02:06 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-20 02:06 . 2009-01-29 21:50 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSXpx86.sys
2009-05-20 02:06 . 2009-01-29 21:50 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-20 02:06 . 2009-01-29 21:50 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-20 02:06 . 2009-01-29 21:50 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSviA64.sys
2009-05-18 02:44 . 2008-05-03 05:16 442368 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-05-18 02:40 . 2008-05-03 05:16 313888 -c--a-w- c:\windows\system32\nvexpbar.dll
2009-05-18 02:40 . 2008-05-03 05:16 768544 -c--a-w- c:\windows\system32\nvcplui.exe
2009-05-18 02:40 . 2008-05-03 05:16 1079840 -c--a-w- c:\windows\system32\nvcpluir.dll
2009-05-18 02:40 . 2007-04-20 11:05 37888 -c--a-w- c:\windows\system32\nvcodins.dll
2009-05-18 02:35 . 2009-05-18 02:35 -------- dc----w- c:\users\Dave\AppData\Roaming\InstallShield
2009-05-18 02:34 . 2009-05-18 02:34 -------- dc----w- c:\program files\AMD
2009-05-18 02:26 . 2009-05-18 02:26 319456 -c--a-w- c:\windows\DIFxAPI.dll
2009-05-18 02:25 . 2009-05-18 02:25 315392 -c--a-w- c:\windows\HideWin.exe
2009-05-18 02:25 . 2007-07-26 22:09 520192 -c--a-w- c:\windows\RtlExUpd.dll
2009-05-09 18:25 . 2009-05-09 18:25 -------- dc----w- c:\users\Dave\AppData\Roaming\AMPSoft
2009-05-09 18:24 . 2009-05-09 18:24 -------- dc----w- c:\program files\AMP Font Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-05 15:04 . 2008-11-12 18:43 4003012608 --sha-w- \pagefile.sys
2009-06-05 12:38 . 2009-03-08 15:03 -------- dc----w- c:\program files\Mozilla Thunderbird 3 Beta 2
2009-06-05 12:04 . 2008-12-25 18:55 49880 -c--a-w- c:\users\Dave\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-05 05:25 . 2008-11-12 16:29 -------- dc----w- c:\programdata\Microsoft Help
2009-06-05 05:14 . 2008-11-12 16:30 -------- dc----w- c:\program files\Microsoft Works
2009-06-03 01:30 . 2008-12-27 18:32 1356 -c--a-w- c:\users\Dave\AppData\Local\d3d9caps.dat
2009-06-02 02:52 . 2008-12-27 23:56 -------- dc----w- c:\users\Dave\AppData\Roaming\UseNeXT
2009-05-27 01:18 . 2008-12-27 23:56 -------- dc----w- c:\program files\UseNeXT
2009-05-20 01:57 . 2008-11-12 16:51 -------- dc----w- c:\programdata\NVIDIA
2009-05-14 02:58 . 2006-11-02 11:18 -------- dc----w- c:\program files\Windows Mail
2009-05-09 16:54 . 2009-05-04 03:23 -------- dc----w- c:\program files\MediaMonkey
2009-05-04 03:18 . 2009-05-04 03:18 -------- dc----w- c:\program files\CCleaner
2009-05-04 00:51 . 2009-05-04 00:39 -------- dc----w- c:\program files\MM3
2009-05-03 01:54 . 2008-11-12 16:31 -------- dc----w- c:\program files\Google
2009-05-01 13:21 . 2009-02-28 13:04 -------- dc----w- c:\program files\DivX
2009-05-01 13:20 . 2009-05-01 13:19 -------- dc----w- c:\program files\Common Files\DivX Shared
2009-04-23 00:28 . 2008-11-12 16:35 -------- dc----w- c:\programdata\SupportSoft
2009-04-23 00:28 . 2008-11-12 16:31 -------- dc----w- c:\program files\Dell
2009-04-21 12:26 . 2009-04-20 18:24 -------- dc----w- c:\program files\NeoSmart Technologies
2009-04-16 00:09 . 2009-04-15 03:41 100 -c--a-w- c:\windows\wpd99.drv
2009-04-16 00:08 . 2009-04-15 03:41 -------- dc----w- c:\programdata\pdf995
2009-04-16 00:06 . 2009-04-16 00:06 -------- dc----w- c:\users\Dave\AppData\Roaming\pdf995
2009-04-15 03:43 . 2009-04-15 03:41 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2009-04-15 03:43 . 2009-04-15 03:41 249856 -c--a-w- c:\windows\system32\pdfmona.dll
2009-04-11 22:19 . 2009-04-11 22:07 -------- dc----w- c:\program files\TaxCut08
2009-04-11 22:17 . 2009-04-11 22:16 29589992 -c--a-w- c:\programdata\TaxCut\2008\Update\US33017101eupd.exe
2009-04-11 22:09 . 2009-04-11 22:09 -------- dc----w- c:\users\Dave\AppData\Roaming\TaxCut
2009-04-11 22:07 . 2009-04-11 22:07 -------- dc----w- c:\program files\PDF995
2009-04-11 22:05 . 2009-04-11 22:05 -------- dc----w- c:\programdata\TaxCut
2009-04-11 17:50 . 2008-11-12 16:27 -------- dc----w- c:\program files\Common Files\Adobe
2009-03-21 18:24 . 2008-12-26 15:44 335 -c--a-w- c:\windows\nsreg.dat
2009-03-21 18:23 . 2009-03-21 18:23 8653 -c--a-w- c:\windows\mozver.dat
2009-03-21 18:23 . 2009-03-21 18:23 118784 -c--a-w- c:\windows\GREUninstall.exe
2009-03-21 00:05 . 2009-01-12 14:16 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-17 03:38 . 2009-04-19 00:00 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-19 00:00 24064 ----a-w- c:\windows\system32\amxread.dll
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-03-14 15:28 . 2009-06-05 12:14 89104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\NAVENG.SYS
2009-03-14 15:28 . 2009-06-05 12:14 876144 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\NAVEX15.SYS
2009-03-14 15:28 . 2009-06-05 12:14 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\NAVENG32.DLL
2009-03-14 15:28 . 2009-06-05 12:14 1181040 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\NAVEX32A.DLL
2009-03-14 15:28 . 2009-06-05 12:14 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\EECTRL.SYS
2009-03-14 15:28 . 2009-06-05 12:14 259368 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\ECMSVR32.DLL
2009-03-14 15:28 . 2009-06-05 12:14 2414128 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\CCERASER.DLL
2009-03-14 15:28 . 2009-06-05 12:14 101936 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090604.040\ERASER.SYS
2009-03-09 10:19 . 2008-12-26 16:04 410984 -c--a-w- c:\windows\system32\deploytk.dll
2007-06-22 00:38 . 2007-06-22 00:38 30280 -c--a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-22 00:38 . 2007-06-22 00:38 79432 -c--a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-22 00:38 . 2007-06-22 00:38 71240 -c--a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-22 00:38 . 2007-06-22 00:38 140872 -c--a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-22 00:39 . 2007-06-22 00:39 38472 -c--a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-22 00:39 . 2007-06-22 00:39 46664 -c--a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-06-22 00:39 . 2007-06-22 00:39 34376 -c--a-w- c:\program files\mozilla firefox\plugins\logging.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-06-22 00:39 . 2007-06-22 00:39 685640 -c--a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-22 00:40 . 2007-06-22 00:40 30280 -c--a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2008-11-12 18:56 . 2008-11-12 18:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
2008-01-21 02:32 . 2008-01-21 02:32 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6001.18000_none_f1582d884fb532fb\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyBackgoundBanking"="c:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-03-11 202544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 92704]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-09-24 4452352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TurnOffSPIAnimations"= 1 (0x1)
"AlwaysShowClassicMenu"= 1 (0x1)
"DisableThumbnailsOnNetworkFolders"= 1 (0x1)
"HideSCABattery"= 1 (0x1)
"TaskbarNoThumbnail"= 1 (0x1)
"RestrictWelcomeCenter"= 1 (0x1)
"HideSCANetwork"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-11-12 16:37 10536 -c--a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3711636142-2928330787-4260267456-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{67BF118A-C722-4908-B1DF-3DC2A8447BB4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{18EF8B9F-A8F8-4C06-87D9-AAAF27D4144F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9AA3933A-105E-4C65-ABA4-762118DB1234}"= c:\program files\CyberLink\PowerDVD DX\PowerDVD.exe:CyberLink PowerDVD DX
"{34112868-4DB4-43B8-BC20-BA6C94F1B182}"= c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe:CyberLink PowerDVD DX Resident Program

R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1005000.086\SymEFA.sys [3/20/2009 7:05 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NAV\1005000.086\BHDrvx86.sys [3/20/2009 7:05 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1005000.086\cchpx86.sys [3/20/2009 7:05 PM 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys [5/29/2009 7:59 PM 292912]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 7:17 AM 77824]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [3/20/2009 7:05 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/25/2009 4:00 AM 101936]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NAV\1005000.086\symndisv.sys [3/20/2009 7:05 PM 39984]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [1/20/2008 9:32 PM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [1/20/2008 9:32 PM 251904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\User_Feed_Synchronization-{5C6BD40C-11BE-4D5F-9F33-363F2DD82E09}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:34]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3081112
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\flhx5se3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.newyorktimes.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-05 10:17
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-05 10:20
ComboFix-quarantined-files.txt 2009-06-05 15:20

Pre-Run: 155,517,538,304 bytes free
Post-Run: 155,455,328,256 bytes free

219 --- E O F --- 2009-06-05 05:28

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:47 AM

Posted 05 June 2009 - 11:50 AM

Well done. :thumbup2:

BAE is not malicious, just its advertising nature and the fact that the consent of the user is not obtained.

You may run an updated MBAM if you wanted.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me also how is your computer running. Can you run MBAM and update it without renaming? Is Norton working? Can you get to the Windows update page?


#5 thelonious

thelonious
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 05 June 2009 - 05:17 PM

Well, Farbar, my machine is better but still weird. Here goes:

I removed BAE and replaced the old Java with the new.
Links presented by Google (or others) go where they're supposed to.

MBAM works (kinda) without renaming it: it runs and runs, finding nothing, and after about 100,000 files it goes "plink!" closes, returns me to my desktop without a log.

NAV works now. The first time I reran MBAM I had NAV accidentally running in the background. NAV found (and neutralized) two varmints MBAM didn't see: "Packed Generic.218" and "Backdoor.Tidserv."

Also, while doing nothing fancy, I saw CPU utilization hover around 80% then stay at 100% as before.

Any ideas?

Here's a new HJT, just for good measure:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:33 PM, on 6/5/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Hi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 4304 bytes

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:47 AM

Posted 05 June 2009 - 05:42 PM

MBAM works (kinda) without renaming it: it runs and runs, finding nothing, and after about 100,000 files it goes "plink!" closes, returns me to my desktop without a log.

You might want to uninstall it, remove all the folders and reinstall it again and see if it runs.

NAV works now. The first time I reran MBAM I had NAV accidentally running in the background. NAV found (and neutralized) two varmints MBAM didn't see: "Packed Generic.218" and "Backdoor.Tidserv."

The question is where those malware files were located. NAV might find them in the ComboFix quarantine folder or in the System Volume Information folder where the restore points are kept. Both the folders will be emptied when we uninstall ComboFix.

Also, while doing nothing fancy, I saw CPU utilization hover around 80% then stay at 100% as before.

NAV might has been set to do a routine scan?
Could you identify the process consuming high CPU usage?

#7 thelonious

thelonious
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 06 June 2009 - 11:54 PM

A thousand thank you's to you, Farbar!

Here's my latest status. I think we can call this fixed:

I uninstalled and reinstalled MBAM. It still went "Plink!" So I uninstalled it again. Uninstalled ComboFix, so any bad guys in quarantine are also gone. NAV works; it finished and found nothing.
URLs presented by search engines go where they're supposed to.
Couldn't identify the CPU hog, but the machine is as responsive as it ever was.

Happy trails,

Thelonious

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:47 AM

Posted 07 June 2009 - 06:05 AM

You are most welcome Thelonious. :thumbup2:

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users