Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ Backdoor.bot, Malware.Trace, Stolen.Data, Tojan.Spambot, Hijack.UserInit, Trojan.Agent


  • This topic is locked This topic is locked
7 replies to this topic

#1 Mico7

Mico7

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 09 June 2009 - 06:48 AM

Hello. I've been having some issues with my laptop as of late. Upon start up of my mother's (but not my own) user acct, the message "Date Execution Prevention: To help protect this computer, Generic Host Process for Win32 Services has been closed by windows" pops up. Svchost then tries to get out to the net, then aborts.

I did my usual scan with MalwareBytes and it picked up on the various viruses, but they keep reappearing upon re-start and re-scanning. Even after being quarantined and successfully "deleted" by MalwareBytes (System Restore is turned off). I've also used Bitdefender and SUPERAntiSpyware in Safe mode, full scan (both failed to detect any of the viruses found by MalwareBytes), but nothing so far has licked it. Included is my DDS scan info. Also included for additional info is my MalwareBytes log (hope that's ok!). Thanks in advance for any and all help :thumbup2:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Michelle at 7:07:20.78 on Tue 06/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.98 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\e-Trends\etrnd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\RtkBtMnt.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\IEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [BDMCon] "c:\program files\softwin\bitdefender10\bdmcon.exe" /reg
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2008\bdagent.exe"
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://l.yimg.com/jh/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: e-Trends - c:\program files\e-trends\etls.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michelle\applic~1\mozilla\firefox\profiles\oyofejzv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - news.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\e-trends\components\etxg.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: *xg.dll: {6E19037A-12E3-4295-8915-ED48BC341614} - c:\program files\e-Trends

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2007-9-25 86792]
S2 Active Common Service;Active Common Service;c:\windows\system32\commserv.exe --> c:\windows\system32\commserv.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-09 06:49 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-09 06:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-09 06:19 <DIR> --d----- c:\windows\system32\NtmsData
2009-06-08 08:05 <DIR> --d----- c:\program files\Trojan Remover
2009-06-08 07:22 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-07 21:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-07 21:37 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-07 21:37 <DIR> --d----- c:\docume~1\michelle\applic~1\SUPERAntiSpyware.com
2009-06-07 21:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-07 20:50 <DIR> --dsh--- C:\found.001
2009-06-07 18:15 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-07 17:43 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 17:43 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 17:43 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 17:43 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-07 17:43 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-07 17:43 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 17:43 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-07 17:43 <DIR> --d----- C:\2a737653a583232219c461
2009-06-07 17:24 <DIR> --d----- C:\c6e71787c577cc0830ca17409ac574
2009-06-07 17:23 <DIR> --d----- C:\c8be5d2aa37841d9d3
2009-06-07 17:10 <DIR> --dsh--- c:\documents and settings\michelle\PrivacIE
2009-06-07 16:40 <DIR> --dsh--- C:\found.000
2009-05-24 23:05 <DIR> --dsh--- c:\documents and settings\michelle\IECompatCache
2009-05-24 21:23 44,944 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-05-24 21:23 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-24 21:23 129,520 -------- c:\windows\system32\pxafs.dll
2009-05-24 21:23 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-22 15:52 <DIR> --dsh--- c:\documents and settings\michelle\IETldCache
2009-05-22 15:25 <DIR> --d----- c:\windows\ie8updates
2009-05-22 15:23 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-22 15:17 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-09 07:07 81,984 a------- c:\windows\system32\bdod.bin
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 10:06 397,664 a------- c:\windows\system32\apphelpk2.dll
2008-05-27 09:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat

============= FINISH: 7:08:46.15 ===============


MalwareBytes log

Malwarebytes' Anti-Malware 1.37
Database version: 2252
Windows 5.1.2600 Service Pack 3

6/9/2009 6:26:07 AM
mbam-log-2009-06-09 (06-26-07).txt

Scan type: Quick Scan
Objects scanned: 101610
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77b13a07-5c86-48bb-9c0c-523dc7c760e3} (Trojan.SpamBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77b13a07-5c86-48bb-9c0c-523dc7c760e3} (Trojan.SpamBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sys.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\J. Coffey\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

Attached Files



BC AdBot (Login to Remove)

 


m

#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:19 PM

Posted 19 June 2009 - 05:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#3 Mico7

Mico7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 19 June 2009 - 10:14 AM

I am still having computer issues, although there have been changes. Thank you for getting back to me. The "Data Execution Prevention: To help protect this computer, Generic Host Process for Win32 Services has been closed by windows" message is no longer popping up, nor is svchost aborting. The viruses appear to be gone after the last MalwareBytes and Bitdefender scan (done about a week ago). However, the computer is still moving slow- it's still taking a couple of minutes to open up programs and the internet and Firefox is slow and lagging. Also, there are now issues with Firefox crashing, and the icons in Firefox for the add-ons are no longer appearing.

Eclosed is my new DDS scan. Thank you.



DDS (Ver_09-05-14.01) - NTFSx86
Run by Michelle at 11:06:08.43 on Fri 06/19/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.84 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\e-Trends\etrnd.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\DOCUME~1\Michelle\LOCALS~1\Temp\RtkBtMnt.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = 0.0.0.0:80
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mURLSearchHooks: IAOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol toolbar\aoltb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AOL Toolbar Loader: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol toolbar\aoltb.dll
BHO: IEPlugin Class: {cf7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\advanced system optimizer\IEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol toolbar\aoltb.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [BDMCon] "c:\program files\softwin\bitdefender10\bdmcon.exe" /reg
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2008\bdagent.exe"
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://l.yimg.com/jh/games/web_games/gamehouse/frenzy/SproutLauncher.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: e-Trends - c:\program files\e-trends\etls.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michelle\applic~1\mozilla\firefox\profiles\oyofejzv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.startup.homepage - news.google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\e-trends\components\etxg.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: *xg.dll: {6E19037A-12E3-4295-8915-ED48BC341614} - c:\program files\e-Trends

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2007-9-25 86792]
S2 Active Common Service;Active Common Service;c:\windows\system32\commserv.exe --> c:\windows\system32\commserv.exe [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]

=============== Created Last 30 ================

2009-06-10 05:40 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 05:40 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 06:49 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-09 06:49 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-09 06:19 <DIR> --d----- c:\windows\system32\NtmsData
2009-06-08 08:05 <DIR> --d----- c:\program files\Trojan Remover
2009-06-08 07:22 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-07 21:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-07 21:37 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-07 21:37 <DIR> --d----- c:\docume~1\michelle\applic~1\SUPERAntiSpyware.com
2009-06-07 21:36 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-07 20:50 <DIR> --dsh--- C:\found.001
2009-06-07 18:15 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-07 17:43 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 17:43 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 17:43 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 17:43 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-07 17:43 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-07 17:43 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 17:43 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-07 17:43 <DIR> --d----- C:\2a737653a583232219c461
2009-06-07 17:24 <DIR> --d----- C:\c6e71787c577cc0830ca17409ac574
2009-06-07 17:23 <DIR> --d----- C:\c8be5d2aa37841d9d3
2009-06-07 17:10 <DIR> --dsh--- c:\documents and settings\michelle\PrivacIE
2009-06-07 16:40 <DIR> --dsh--- C:\found.000
2009-05-24 23:05 <DIR> --dsh--- c:\documents and settings\michelle\IECompatCache
2009-05-24 21:23 44,944 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-05-24 21:23 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-24 21:23 129,520 -------- c:\windows\system32\pxafs.dll
2009-05-24 21:23 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-22 15:52 <DIR> --dsh--- c:\documents and settings\michelle\IETldCache
2009-05-22 15:25 <DIR> --d----- c:\windows\ie8updates
2009-05-22 15:23 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-22 15:17 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-06-19 11:04 81,984 a------- c:\windows\system32\bdod.bin
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-05-27 09:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052720080528\index.dat

============= FINISH: 11:07:24.17 ===============

Attached Files


Edited by Mico7, 19 June 2009 - 10:19 AM.


#4 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 19 June 2009 - 08:50 PM

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#5 Mico7

Mico7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 20 June 2009 - 01:06 PM

Here are the results of the Kaspersky Online Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, June 20, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, June 20, 2009 15:14:29
Records in database: 2371109
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 56167
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 03:44:53


File name / Threat name / Threats count
C:\WINDOWS\system32\apphelpk2.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.vtu 1

The selected area was scanned.

#6 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 21 June 2009 - 11:38 AM

Hi Mico7,

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad".
This may change, read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Viewpoint

---

Please set your system to show All Files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\apphelpk2.dll <-- this file

Reboot into normal Windows.

I recommend to you install & run CCleaner, it's a freeware system optimization and can help you to get a best performance in your computer.

After follow this procedures, please inform if you still have problems.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg

#7 Mico7

Mico7
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 23 June 2009 - 07:35 PM

Thank you so much RenatoMejias! I did get rid of Viewpoint and run CCleaner; the computer is running very smoothly now. All the problems have been solved. Again, thank you! :thumbup2:

#8 RenatoMejias

RenatoMejias

  • Malware Response Team
  • 913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:19 PM

Posted 23 June 2009 - 08:52 PM

Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Renato Victor Mejias
Malware help in portuguese
jetian6yw.jpg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users