Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am getting popups galore


  • This topic is locked This topic is locked
15 replies to this topic

#1 Justbry

Justbry

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 08 June 2009 - 05:06 AM

I seem to be infected with some sort of spyware as i everytime I surf I get a popup. My Antivirus software does not find anything and I scan everyday. Please help, here is the log you request.


DDS (Ver_09-05-14.01) - NTFSx86
Run by Cliff at 23:37:34.15 on Sun 06/07/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.1602 [GMT -4:00]

AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: AT&T Internet Security Suite AT&T Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\System32\wscript.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cliff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2090120
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Media Access Startup: {25b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\media access startup\1.0.0.610\HPIEAddOn.dll
BHO: NP Helper Class: {35b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\internet saving optimizer\3.1.0.3900\NPIEAddOn.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\at&t\at&t internet security suite\pkR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: System Search Dispatcher: {cdbfb47b-58a8-4111-bf95-06178dce326d} - c:\program files\system search dispatcher\1.2.0.750\ssd.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EPSON Stylus Photo 1400] c:\windows\system32\spool\drivers\w32x86\3\e_fatibua.exe /fu "c:\windows\temp\E_S68C3.tmp" /EF "HKCU"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EPSON Stylus Photo 1400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibua.exe /fu "c:\windows\temp\E_S4179.tmp" /EF "HKCU"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AT&T Internet Security Suite] "c:\program files\at&t\at&t internet security suite\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\at&t\at&t internet security suite\ZkRunOnceR.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrayServer] c:\program files\magix\movie_edit_pro_15_plus_download_version\TrayServer.exe
StartupFolder: c:\users\cliff\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\users\cliff\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
R2 FlipShare Service;FlipShare Service;c:\program files\pure digital technologies\flipshare\FlipShareService.exe [2008-11-13 439616]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\dllhost.exe [2006-11-2 7168]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-5-22 1527900]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-20 30192]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]

=============== Created Last 30 ================

2009-06-06 07:07 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-06-02 16:24 <DIR> --d----- c:\program files\Media Access Startup
2009-06-02 16:24 <DIR> --d----- c:\program files\Internet Saving Optimizer
2009-06-02 16:23 <DIR> --d----- c:\program files\System Search Dispatcher
2009-06-02 16:23 <DIR> --d----- c:\program files\DoubleD
2009-05-31 09:34 <DIR> --d----- c:\programdata\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\program files\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\progra~2\Pure Digital Technologies
2009-05-22 06:56 <DIR> --d----- c:\users\cliff\appdata\roaming\MAGIX
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\xara
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\MAGIX Shared
2009-05-22 06:52 913,408 a------- c:\windows\system32\MXRestore.exe
2009-05-22 06:51 167,936 a------- c:\windows\system32\DLLDEV32.dll
2009-05-22 06:51 163,840 a------- c:\windows\system32\DLLDRV32.dll
2009-05-22 06:51 114,688 a------- c:\windows\system32\DLLCDA32.dll
2009-05-22 06:51 106,496 a------- c:\windows\system32\DLLCPY32.dll
2009-05-22 06:51 61,440 a------- c:\windows\system32\DLLCDF32.dll
2009-05-22 06:51 32,768 a------- c:\windows\system32\DLLDIR32.dll
2009-05-22 06:51 14,182 a------- c:\windows\system32\DLLAV32.lib
2009-05-22 06:51 643,072 a------- c:\windows\system32\DLLAV32.dll
2009-05-22 06:50 <DIR> --d----- c:\programdata\MAGIX
2009-05-22 06:50 <DIR> --d----- c:\progra~2\MAGIX
2009-05-22 06:50 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-05-22 06:50 <DIR> --d----- c:\program files\MAGIX
2009-05-22 06:49 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-05-22 06:49 6,211 a------- c:\windows\mgxoschk.ini
2009-05-22 06:49 <DIR> --d----- c:\windows\system32\MAGIX

==================== Find3M ====================

2009-04-17 18:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-17 18:22 51,200 a------- c:\windows\inf\infpub.dat
2009-04-17 18:22 86,016 a------- c:\windows\inf\infstor.dat
2009-04-17 16:53 186,592 a------- c:\windows\system32\drivers\WinDrvr6.sys
2009-03-16 23:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 23:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 23:38 24,064 a------- c:\windows\system32\amxread.dll
2009-01-20 10:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:38:00.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:05 AM

Posted 18 June 2009 - 09:28 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 18 June 2009 - 05:45 PM

Hi,

Thanks for replying.

When I go to most websites pop ups start happening, some web sites are worst than others. Also each time I open a new browser two tabs will open, the main one is a redirected website, the second my home page. Finally when I try and go to certain websites a desktop smiley comes up and says that page does not exist when I know it does. I think the desktop smiley comes from a toolbar my son downloaded, I have since uninstalled that toolbar but I think some remnants remain.

I have run Malware Bytes Anti malware and Spybot, both have some up clean

Here is my log

DDS (Ver_09-05-14.01) - NTFSx86
Run by Cliff at 18:40:10.36 on Thu 06/18/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.1814 [GMT -4:00]

AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: AT&T Internet Security Suite AT&T Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Windows\System32\msdtc.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\rundll32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Cliff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.theprizeday.com/today.php
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2090120
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Media Access Startup: {25b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\media access startup\1.0.0.610\HPIEAddOn.dll
BHO: NP Helper Class: {35b8d58c-b0cb-46b0-ba64-05b3804e4e86} - c:\program files\internet saving optimizer\3.1.0.3900\NPIEAddOn.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\at&t\at&t internet security suite\pkR.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: System Search Dispatcher: {cdbfb47b-58a8-4111-bf95-06178dce326d} - c:\program files\system search dispatcher\1.2.0.750\ssd.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [EPSON Stylus Photo 1400] c:\windows\system32\spool\drivers\w32x86\3\e_fatibua.exe /fu "c:\windows\temp\E_S68C3.tmp" /EF "HKCU"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EPSON Stylus Photo 1400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibua.exe /fu "c:\windows\temp\E_S4179.tmp" /EF "HKCU"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AT&T Internet Security Suite] "c:\program files\at&t\at&t internet security suite\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\at&t\at&t internet security suite\ZkRunOnceR.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
R2 FlipShare Service;FlipShare Service;c:\program files\pure digital technologies\flipshare\FlipShareService.exe [2008-11-13 439616]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-6-17 1153368]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-5-22 1527900]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-20 30192]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\system32\dllhost.exe [2006-11-2 7168]

=============== Created Last 30 ================

2009-06-14 16:46 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 16:46 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 16:46 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 16:46 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 16:46 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-10 22:28 <DIR> --d----- c:\windows\pss
2009-06-06 07:07 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-06-02 16:24 <DIR> --d----- c:\program files\Media Access Startup
2009-06-02 16:24 <DIR> --d----- c:\program files\Internet Saving Optimizer
2009-06-02 16:23 <DIR> --d----- c:\program files\System Search Dispatcher
2009-06-02 16:23 <DIR> --d----- c:\program files\DoubleD
2009-05-31 09:34 <DIR> --d----- c:\programdata\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\program files\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\progra~2\Pure Digital Technologies
2009-05-26 03:37 421,888 a------- c:\windows\system32\RealMediaSplitter.ax
2009-05-22 06:56 <DIR> --d----- c:\users\cliff\appdata\roaming\MAGIX
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\xara
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\MAGIX Shared
2009-05-22 06:51 167,936 a------- c:\windows\system32\DLLDEV32.dll
2009-05-22 06:51 163,840 a------- c:\windows\system32\DLLDRV32.dll
2009-05-22 06:51 114,688 a------- c:\windows\system32\DLLCDA32.dll
2009-05-22 06:51 106,496 a------- c:\windows\system32\DLLCPY32.dll
2009-05-22 06:51 61,440 a------- c:\windows\system32\DLLCDF32.dll
2009-05-22 06:51 32,768 a------- c:\windows\system32\DLLDIR32.dll
2009-05-22 06:51 14,182 a------- c:\windows\system32\DLLAV32.lib
2009-05-22 06:51 643,072 a------- c:\windows\system32\DLLAV32.dll
2009-05-22 06:50 <DIR> --d----- c:\programdata\MAGIX
2009-05-22 06:50 <DIR> --d----- c:\progra~2\MAGIX
2009-05-22 06:50 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-05-22 06:50 <DIR> --d----- c:\program files\MAGIX
2009-05-22 06:49 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-05-22 06:49 6,211 a------- c:\windows\mgxoschk.ini
2009-05-22 06:49 <DIR> --d----- c:\windows\system32\MAGIX

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-17 18:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-17 18:22 51,200 a------- c:\windows\inf\infpub.dat
2009-04-17 18:22 86,016 a------- c:\windows\inf\infstor.dat
2009-01-20 10:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:40:28.12 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 18 June 2009 - 08:37 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#5 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 18 June 2009 - 10:03 PM

Ok, I have attatched both the ComboFix log and the GMER Log. it seems to be working a little better right now. What should I do next?

ComboFix 09-06-18.02 - Cliff 06/18/2009 22:03.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.1828 [GMT -4:00]
Running from: c:\users\Cliff\Desktop\ComboFix.exe
AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: AT&T Internet Security Suite AT&T Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *disabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1285791153-4273125119-2843178973-500
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-1285791153-4273125119-2843178973-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500\desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-19 to 2009-06-19 )))))))))))))))))))))))))))))))
.

2009-06-14 20:46 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-14 20:46 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-09 07:25 . 2009-06-09 07:25 3371383 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-06 11:07 . 2009-06-19 01:59 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-06 11:07 . 2009-06-19 01:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-02 20:24 . 2009-06-02 20:24 -------- d-----w- c:\program files\Media Access Startup
2009-06-02 20:24 . 2009-06-02 20:24 -------- d-----w- c:\program files\Internet Saving Optimizer
2009-06-02 20:23 . 2009-06-02 20:23 -------- d-----w- c:\program files\System Search Dispatcher
2009-06-02 20:23 . 2009-06-02 20:23 -------- d-----w- c:\program files\DoubleD
2009-05-31 13:34 . 2009-05-31 13:34 -------- d-----w- c:\programdata\Pure Digital Technologies
2009-05-31 13:34 . 2009-05-31 13:34 -------- d-----w- c:\program files\Pure Digital Technologies
2009-05-22 11:01 . 2009-05-21 11:35 5965312 ----a-w- c:\programdata\Microsoft\Windows\Start Menu\Programs\MAGIX\MAGIX Movie Edit Pro 15 Plus Download version\MovieEdit.exe
2009-05-22 10:58 . 2009-05-21 11:35 5965312 ----a-w- c:\users\Cliff\AppData\Roaming\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\MovieEdit.exe
2009-05-22 10:56 . 2009-05-22 10:56 -------- d-----w- c:\users\Cliff\AppData\Roaming\MAGIX
2009-05-22 10:53 . 2009-05-22 10:53 -------- d-----w- c:\users\Cliff\AppData\Local\Xara
2009-05-22 10:51 . 2008-10-18 18:56 106496 ----a-w- c:\windows\system32\DLLCPY32.dll
2009-05-22 10:51 . 2008-10-18 18:56 167936 ----a-w- c:\windows\system32\DLLDEV32.dll
2009-05-22 10:51 . 2008-10-18 18:56 163840 ----a-w- c:\windows\system32\DLLDRV32.dll
2009-05-22 10:51 . 2003-03-14 14:33 114688 ----a-w- c:\windows\system32\DLLCDA32.dll
2009-05-22 10:51 . 2003-03-14 14:33 61440 ----a-w- c:\windows\system32\DLLCDF32.dll
2009-05-22 10:51 . 2003-03-14 14:32 32768 ----a-w- c:\windows\system32\DLLDIR32.dll
2009-05-22 10:51 . 2008-10-18 18:56 643072 ----a-w- c:\windows\system32\DLLAV32.dll
2009-05-22 10:51 . 2006-02-27 13:43 24576 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\Default\Validation.exe
2009-05-22 10:51 . 2003-11-04 22:20 6144 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\DVD\WMV_DISC\components\videowritetest.exe
2009-05-22 10:51 . 1997-10-16 02:03 18944 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\DVD\WMV_DISC\components\shelexec.exe
2009-05-22 10:51 . 2004-09-13 17:29 200704 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\DVD\WMV_DISC\licgen.exe
2009-05-22 10:51 . 2003-10-09 15:56 513088 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\DVD\WMV_DISC\WMDS.dll
2009-05-22 10:50 . 2005-10-08 20:14 40960 ----a-w- c:\programdata\MAGIX\Movie_Edit_Pro_15_Plus_Download_version\Default\fcdummy.exe
2009-05-22 10:50 . 2009-05-22 10:53 -------- d-----w- c:\programdata\MAGIX
2009-05-22 10:50 . 2009-05-22 10:53 -------- d-----w- c:\program files\MAGIX
2009-05-22 10:50 . 2007-04-27 13:43 120200 ----a-w- c:\windows\system32\DLLDEV32i.dll
2009-05-22 10:49 . 2009-05-22 10:53 -------- d-----w- c:\windows\system32\MAGIX
2009-05-22 10:49 . 2008-04-15 19:14 700416 ----a-w- c:\windows\system32\mgxoschk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-15 07:02 . 2009-01-20 12:31 -------- d-----w- c:\programdata\Microsoft Help
2009-06-14 10:30 . 2009-02-01 15:05 -------- d-----w- c:\users\Cliff\AppData\Roaming\uTorrent
2009-06-14 10:21 . 2009-01-29 02:25 117320 ----a-w- c:\users\Cliff\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-14 10:10 . 2009-01-20 12:32 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 02:22 . 2009-03-15 20:28 -------- d-----w- c:\users\Cliff\AppData\Roaming\LimeWire
2009-06-09 07:26 . 2009-03-27 07:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-08 03:26 . 2009-01-30 02:46 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-26 17:20 . 2009-03-27 07:42 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 17:19 . 2009-03-27 07:42 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 10:53 . 2009-05-22 10:52 -------- d-----w- c:\program files\Common Files\MAGIX Shared
2009-05-22 10:52 . 2009-05-22 10:52 -------- d-----w- c:\program files\Common Files\xara
2009-05-13 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-03 11:29 . 2009-01-20 12:33 -------- d-----w- c:\program files\Google
2009-04-24 16:05 . 2009-06-11 04:39 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 04:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 04:39 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 04:39 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 04:39 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 04:39 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 20:53 . 2009-04-17 20:53 186592 ----a-w- c:\windows\system32\drivers\WinDrvr6.sys
2009-03-29 09:09 . 2009-03-29 09:09 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.0.52\SetupAdmin.exe
2009-01-20 13:59 . 2009-01-20 13:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-01-20 30192]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"AT&T Internet Security Suite"="c:\program files\AT&T\AT&T Internet Security Suite\Rps.exe" [2007-06-28 310000]
"-FreedomNeedsReboot"="c:\program files\AT&T\AT&T Internet Security Suite\ZkRunOnceR.exe" [2007-06-28 13552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-17 4907008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-20 12:38 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Cliff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dell Dock.lnk]
path=c:\users\Cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk
backup=c:\windows\pss\Dell Dock.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Cliff^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E384166E-0CD8-4D75-B3D5-2A817E64922A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C28D0173-9C16-4832-9532-477A7FA8D16A}"= UDP:c:\program files\Dell Remote Access\ezi_ra.exe:Dell Remote Access
"{2E55A68A-9441-4591-95A8-062552619CC5}"= TCP:c:\program files\Dell Remote Access\ezi_ra.exe:Dell Remote Access
"{89E7DC51-003E-4755-9411-A283D26C6849}"= UDP:c:\programdata\SingleClick Systems\Advanced Networking Service\hnm_svc.exe:Advanced Networking Service
"{E83700B7-4825-4A64-AB19-88DF3C978A95}"= TCP:c:\programdata\SingleClick Systems\Advanced Networking Service\hnm_svc.exe:Advanced Networking Service
"{C3824F0C-9319-40A5-BE78-C336837261B9}"= UDP:c:\programdata\SingleClick Systems\VLC\vlc.exe:Remote Access VLC
"{A0457955-DA16-45C2-B78A-8266DEBDD053}"= TCP:c:\programdata\SingleClick Systems\VLC\vlc.exe:Remote Access VLC
"{B70B611F-B448-4014-A6DA-FBCB383C4E3E}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{992763EA-C3DD-4CA6-B755-301B8864938A}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{D90141FE-A91B-45F8-AC00-8CFFE5E2A459}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{A71A565D-2196-448C-B6FD-C53D5DEEC17F}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{9F230083-5855-4333-BF2E-C5CCE7315A1E}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{F89E06D1-C747-4338-A782-1126643B1703}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{81B1C478-C22C-4BF6-BC0D-795CF79E03CC}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{F368C772-2134-47FB-B1B0-73D26F194BB0}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{215C6972-A45C-4C16-9293-EA0EF8006990}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{71F96B23-2E8D-4115-9398-C5886B454B72}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5C6440F7-513A-47C4-8FA1-C6BF993E330D}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{92F8C274-1ED6-4F36-A8C7-74E0301107ED}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R2 AERTFilters;Andrea RT Filters Service;c:\windows\System32\AERTSrv.exe [12/5/2007 7:17 AM 77824]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [1/11/2008 6:50 PM 30312]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [9/24/2008 12:09 AM 155648]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [11/13/2008 1:17 PM 439616]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [5/22/2009 6:53 AM 1527900]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2009 8:33 AM 30192]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [11/24/2008 11:31 PM 29263712]
S3 Radialpoint Security Services;AT&T Internet Security Suite;c:\windows\System32\dllhost.exe [11/2/2006 4:50 AM 7168]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theprizeday.com/today.php
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 22:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-19 22:07
ComboFix-quarantined-files.txt 2009-06-19 02:07

Pre-Run: 371,417,440,256 bytes free
Post-Run: 371,438,747,648 bytes free

166 --- E O F --- 2009-06-18 22:31

Attached Files


Edited by PropagandaPanda, 19 June 2009 - 07:26 AM.


#6 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 19 June 2009 - 04:51 AM

I ran a spyware scan last night and it came up with some things I haven'y seen before.

Scan Target Scanned Items Detected Spyware Items
OS (C:) 188198 1
RECOVERY (D:) 9684 0
New Disk (F:) 9830 0
Cookies 73 0
Registry 47952 3
Memory 22 0
Total 255759 4



Spyware Type Item Action
Grokster Registry hkey_classes_root \magnet Quarantine

Bifrost Registry hkey_current_user \software\wget Quarantine

PremiumSearch Application C:\Users\Cliff\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UE8L6O3I\favicon[6].ico Quarantine

WinSpywareProtect Registry hkey_current_user \software\microsoft\windows\currentversion\drivers Quarantine

These items were quarentined.

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 19 June 2009 - 10:31 AM

Hello.

Your logs look clean of active malware.

The item detected in the post above was only a cookie.

Did you install these programs yourself? I can't find any sources saying they are legit programs.

RPS Ad Blocker
RPS AntiFraud
RPS AntiSpyware
RPS AntiVirus
RPS App Detector
RPS AsRealtime
RPS Backup
RPS Burn
RPS Diagnostic Utility
RPS Firewall
RPS ParentalControl
RPS Performance Tool
RPS PopupBlocker
RPS Privacy Manager
RPS RpsCore
RPS Security Cleanup
RPS Zip

With Regards,
The Panda

#8 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 19 June 2009 - 03:47 PM

My antivirus program is by AT&T Internet security suite, it comes with my isp provider. I hope that those programs are part of it and not some other program that i did not download. I've done a online search for these programs, they all seem to belong to verizon in one form or another.

If these are virus that may have been inadvertantly downloaded please let me know.

Thanks

CJ

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 19 June 2009 - 06:45 PM

Hello CJ.

They don't look like legit programs to me.

Please uninstall all of them using Add/Remove Programs.

Update Java to Version 6 Update 14
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, J2SE Runtime, Java Runtime, and Java Runtime Environment. Restart your computer after uninstalling.

Please download the installer here. Choose "Windows".

Delete the installer after use.

Take a new DDS log after. Include the Attach.txt

Please give me an update on the symptoms.

With Regards,
The Panda

#10 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 20 June 2009 - 04:17 AM

I did some more research on those rps programs you are asking me about. They do in deed belong to my antivirus software by AT&T, furthermore they do not appear in the add/remove section for me to uninstall. Please see the link below.

http://www.marketwire.com/press-release/Ra...int-929190.html

I updated my Java and all seems to be working well, here is a new log

Thanks

CJ


DDS (Ver_09-05-14.01) - NTFSx86
Run by Cliff at 5:04:49.45 on Sat 06/20/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3060.1593 [GMT -4:00]

AV: AT&T Internet Security Suite AT&T Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: AT&T Internet Security Suite AT&T Anti-Spyware *enabled* (Updated) {307352C6-1CBD-11DB-8AF6-B622A1EF5492}
FW: AT&T Internet Security Suite AT&T Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\Fws.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\rpsupdaterR.exe
C:\Windows\System32\msdtc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\AT&T\AT&T Internet Security Suite\RPS.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\msiexec.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Cliff\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\at&t\at&t internet security suite\pkR.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [ISW.exe] "c:\program files\at&t\internet security wizard\ISW.exe" /AUTORUN
mRun: [AT&T Internet Security Suite] "c:\program files\at&t\at&t internet security suite\Rps.exe"
mRun: [-FreedomNeedsReboot] "c:\program files\at&t\at&t internet security suite\ZkRunOnceR.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GoogleDesktopNetwork3.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-06-20 04:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-18 22:07 <DIR> --dsh--- C:\$RECYCLE.BIN
2009-06-18 22:02 161,792 a------- c:\windows\SWREG.exe
2009-06-18 22:02 155,136 a------- c:\windows\PEV.exe
2009-06-18 22:02 98,816 a------- c:\windows\sed.exe
2009-06-18 22:02 <DIR> --ds---- C:\ComboFix
2009-06-14 16:46 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 16:46 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 16:46 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 16:46 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 16:46 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-10 22:28 <DIR> --d----- c:\windows\pss
2009-06-06 07:07 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-06 07:07 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-06-02 16:24 <DIR> --d----- c:\program files\Media Access Startup
2009-06-02 16:24 <DIR> --d----- c:\program files\Internet Saving Optimizer
2009-06-02 16:23 <DIR> --d----- c:\program files\System Search Dispatcher
2009-06-02 16:23 <DIR> --d----- c:\program files\DoubleD
2009-05-31 09:34 <DIR> --d----- c:\programdata\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\program files\Pure Digital Technologies
2009-05-31 09:34 <DIR> --d----- c:\progra~2\Pure Digital Technologies
2009-05-26 03:37 421,888 a------- c:\windows\system32\RealMediaSplitter.ax
2009-05-22 06:56 <DIR> --d----- c:\users\cliff\appdata\roaming\MAGIX
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\xara
2009-05-22 06:52 <DIR> --d----- c:\program files\common files\MAGIX Shared
2009-05-22 06:51 167,936 a------- c:\windows\system32\DLLDEV32.dll
2009-05-22 06:51 163,840 a------- c:\windows\system32\DLLDRV32.dll
2009-05-22 06:51 114,688 a------- c:\windows\system32\DLLCDA32.dll
2009-05-22 06:51 106,496 a------- c:\windows\system32\DLLCPY32.dll
2009-05-22 06:51 61,440 a------- c:\windows\system32\DLLCDF32.dll
2009-05-22 06:51 32,768 a------- c:\windows\system32\DLLDIR32.dll
2009-05-22 06:51 14,182 a------- c:\windows\system32\DLLAV32.lib
2009-05-22 06:51 643,072 a------- c:\windows\system32\DLLAV32.dll
2009-05-22 06:50 <DIR> --d----- c:\programdata\MAGIX
2009-05-22 06:50 <DIR> --d----- c:\progra~2\MAGIX
2009-05-22 06:50 120,200 a------- c:\windows\system32\DLLDEV32i.dll
2009-05-22 06:50 <DIR> --d----- c:\program files\MAGIX
2009-05-22 06:49 700,416 a------- c:\windows\system32\mgxoschk.dll
2009-05-22 06:49 6,211 a------- c:\windows\mgxoschk.ini
2009-05-22 06:49 <DIR> --d----- c:\windows\system32\MAGIX

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-04-23 08:43 784,896 a------- c:\windows\system32\rpcrt4.dll
2009-04-23 08:42 636,928 a------- c:\windows\system32\localspl.dll
2009-04-21 07:55 2,033,152 a------- c:\windows\system32\win32k.sys
2009-04-17 18:22 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-17 18:22 51,200 a------- c:\windows\inf\infpub.dat
2009-04-17 18:22 86,016 a------- c:\windows\inf\infstor.dat
2009-01-20 10:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 5:05:43.56 ===============

Attached Files



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 20 June 2009 - 09:20 AM

Hello.

Ah, I see.

Let's get a scan off.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#12 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 20 June 2009 - 05:15 PM

Thanks for all your help on this issue, here is the latest log.

CJ

Scanning Report
Saturday, June 20, 2009 16:02:27 - 17:26:59
Computer name: CLIFF-PC
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ F:\


--------------------------------------------------------------------------------

12 malware found
TrackingCookie.Questionmarket (spyware)
System (Disinfected)
TrackingCookie.Adinterax (spyware)
System (Disinfected)
TrackingCookie.2o7 (spyware)
System (Disinfected)
TrackingCookie.Advertising (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Doubleclick (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Adrevolver (spyware)
System (Disinfected)
TrackingCookie.Adbrite (spyware)
System (Disinfected)
TrackingCookie.Webtrends (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
TrackingCookie.Yieldmanager (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 63534
System: 4342
Not scanned: 19
Actions:
Disinfected: 12
Renamed: 0
Deleted: 0
Not cleaned: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\HIBERFIL.SYS
C:\WINDOWS\SYSTEM32\CONFIG\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\COMPONENTS
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SAM
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\REGBACK\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATDB
C:\WINDOWS\SYSTEM32\CATROOT2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATDB
C:\USERS\CLIFF\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\F4FDC849C249\DBDAM
C:\USERS\CLIFF\APPDATA\LOCAL\GOOGLE\GOOGLE DESKTOP\F4FDC849C249\DBEAM
C:\BOOT\BCD

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 20 June 2009 - 09:22 PM

Hello.

Are the popups still occuring? Could I ask which sites they appear on?

Is it only those sites, or anywhere?

With Regards,
The Panda

#14 Justbry

Justbry
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 21 June 2009 - 06:48 AM

When the popups first started happening. it was just about every site I went to including this one. In general the popups seem to have gone away, life seems to be much better now. :thumbup2: Only certain sights are getting them now not EVERY one.

Thanks for the help on this matter

CJ

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:05 AM

Posted 21 June 2009 - 12:26 PM

Hello.

In that case, I suspect it's the site itself that is giving you the popups.

Looks like you are good to go.

Uninstall ComboFix
Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type the following into the runbox and click OK. Notice the space between the "x" and "/".
    ComboFix /u

    Posted Image
Uninstalling ComboFix will do the following:
  • Delete ComboFix and its components from your computer.
  • Delete other tools commonly used during the malware removal process.
  • Resets clock settings to standard format.
  • Hides file extensions and hidden/system files.
  • Clears System Restore cache and creates new restore point.
Preventing Malware Infection in the Future
Please take some time to look at the following links, giving some advice and suggestions for preventing future infections: For general slowness problems that you may have, take a look at Slow Computer/browser? It May Not Be Malware. Read How to use the Startup Database to identify and disable uneeded processes and increase the amount of available resources.

Do you have any questions or concerns?

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users