Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Infected with wwwamnc1.com, http://rightbulkselect.com/?q= and RAComponents.dll


  • This topic is locked This topic is locked
10 replies to this topic

#1 rawsaxy

rawsaxy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 23 June 2009 - 11:31 PM

PC Infected with "wwwamnc1.com", "hxxp://rightbulkselect.com/?q= " & "RAComponents.dll"

I have several related problems within my Windows XP PC.
All Internet Explorer 7 and Firefox internet activity respond the same. There are numerous ActiveX Control Add-ons, such as:
RAComponents.dll, and BJInstaller.dll, as well as McciCMService that keeps running.
GoogleUpdate also keeps on reappearing even after I quit it under "Task Manager".

Also, no Add-on gives me the option to be Deleted under "Delete ActiveX", not these or any other add-on for that matter.
Any webpage I try to access takes very long and any link I click on goes to the following first: <hxxp://rightbulkselect.com/?q=>
then the tab says "Jumping" and finally goes wherever it wants, not where I had clicked.

Another website that keeps opening is: wwwamnc1.com
There also seems to be erratic hard drive activity. Please help.
===================================================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by Home at 0:14:20.64 on Wed 06/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.124 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\system32\6.tmp
C:\WINDOWS\system32\svchost.exe -k sys
C:\WINDOWS\system32\rundll32.exe
c:\windows\freddy46.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Home\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc381.mail.yahoo.com/mc/welcome?.gx=1&.rand=2vh7qtoe2jnfo
uInternet Connection Wizard,ShellNext = hxxp://www.bible.com/
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: InlineSearchHandleHotKeys Class: {b6ffe2ae-4d12-451f-b457-fe6125ffb1cf} - c:\program files\ieforge\inline search\InlineSearch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [sysldtray] c:\windows\ld10.exe
mRun: [sysfbtray] c:\windows\freddy46.exe
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Search Image on TinEye - file://c:\documents and settings\home\my documents\tineye 1.0\TinEye.js
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\home\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://echat.bellsouth.net/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\betipafe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\cdzijpht.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc381.mail.yahoo.com/mc/welcome?.gx=1&.rand=8r2brcsegkt2q#_pg=welcome&&.rand=1901480430&hash=57a9f748b505ccc34cc2b10bcd0988e4&.jsrand=1
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\home\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\home\application data\mozilla\firefox\profiles\cdzijpht.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\openoffice.org 3\program\npsoplugin.dll

============= SERVICES / DRIVERS ===============

R1 sysdrv;sysdrv;c:\program files\sys\sys.sys [2009-6-23 9344]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-10-17 23200]
R2 sys;sys;c:\windows\system32\svchost.exe -k sys [2008-4-14 14336]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2003-7-10 15488]
R3 MotuPar;MOTU Parallel MIDI Interface;c:\windows\system32\drivers\motupar.sys [2009-5-21 20992]
S3 MotuMidi;MOTU MIDI Device;c:\windows\system32\drivers\motumidi.sys [2009-5-21 26752]
S4 gupdate1c9c3bbe552a38e;Google Update Service (gupdate1c9c3bbe552a38e);c:\program files\google\update\GoogleUpdate.exe [2009-4-22 133104]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 859784]

=============== Created Last 30 ================

2009-06-23 21:53 66,048 ----h--- c:\windows\freddy46.exe
2009-06-23 21:53 1 ----h--- c:\windows\bf23567.dat
2009-06-23 21:53 2 a------- c:\windows\0101120101465452.dat
2009-06-23 19:53 2 a------- c:\windows\010112010146118114.dat
2009-06-23 19:53 39,424 ----h--- c:\windows\ld10.exe
2009-06-23 19:53 79,872 a------- c:\windows\system32\6.tmp
2009-06-23 19:53 1 a------- c:\windows\system32\5.tmp
2009-06-23 19:53 108 a------- c:\windows\system32\4.tmp
2009-06-23 12:54 <DIR> --d----- c:\program files\sys
2009-06-20 12:53 <DIR> --d----- c:\docume~1\home\applic~1\DVD Flick
2009-06-20 12:53 40,960 a------- c:\windows\system32\ssubtmr6.dll
2009-06-20 12:53 36,864 a------- c:\windows\system32\trayicon_handler.ocx
2009-06-20 12:53 28,672 a------- c:\windows\system32\mousewheel.ocx
2009-06-20 12:53 <DIR> --d----- c:\program files\DVD Flick
2009-06-14 22:50 <DIR> --d----- c:\program files\Finale PrintMusic 2009
2009-06-10 16:14 <DIR> --d----- c:\program files\Finale NotePad 2009
2009-06-06 21:04 <DIR> --d----- c:\program files\MSXML 4.0
2009-06-06 20:18 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-06 19:24 <DIR> --d----- c:\program files\iPod
2009-06-06 19:22 <DIR> --d----- c:\program files\Bonjour
2009-06-06 17:54 <DIR> --d----- c:\program files\BestPractice
2009-06-06 00:58 <DIR> --d----- c:\program files\Active Data Recovery Software
2009-05-27 23:02 198,144 -------- c:\windows\system32\_psisdecd.dll
2009-05-27 23:02 82,432 a------- c:\windows\system32\msxml4r.dll
2009-05-27 23:02 44,544 a------- c:\windows\system32\msxml4a.dll
2009-05-27 23:01 1,047,552 -------- c:\windows\system32\MFC71u.dll
2009-05-27 22:54 <DIR> --d----- C:\MyWorks
2009-05-27 00:07 <DIR> --d----- c:\program files\Media Player Classic
2009-05-27 00:05 <DIR> --d----- c:\program files\QuickTime Alternative
2009-05-26 22:04 <DIR> --d----- c:\docume~1\home\applic~1\MPEG Streamclip
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 20:37 158,192 -------- c:\windows\system32\pxwma.dll
2009-05-21 17:31 15,488 a------- c:\windows\system32\drivers\motubus.sys
2009-05-21 17:21 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-03 14:24 1,313,104 a------- c:\docume~1\home\applic~1\setup.exe
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-11-30 22:37 40,112 a------- c:\docume~1\home\applic~1\GDIPFONTCACHEV1.DAT
2001-10-30 07:11 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2001-09-10 09:00 139,264 a------- c:\windows\inf\i386\Rtscan.dll
2001-08-17 18:43 32,768 a------- c:\windows\inf\i386\Wiamicro.dll
2001-06-29 08:10 163,840 a------- c:\windows\inf\i386\viceo.dll

============= FINISH: 0:14:49.51 ===============

Attached Files


Edited by Orange Blossom, 11 February 2013 - 05:17 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


m

#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:11 PM

Posted 27 June 2009 - 02:05 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.  

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine.  Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool.  No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note:  You may have to disable any script protection running if the scan fails to run.  After downloading the tool, disconnect from the internet and disable all antivirus protection.  Run the scan, enable your A/V and reconnect to the internet.  

Information on A/V control HERE

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 27 June 2009 - 10:11 PM

I will re-write the situation for you.
******************************
PC Infected with "wwwamnc1.com", "http://rightbulkselect.com/?q= " & "RAComponents.dll"

I have several related problems within my Windows XP PC.
All Internet Explorer 7 and Firefox internet activity respond the same. There are numerous ActiveX Control Add-ons, such as:
RAComponents.dll, and BJInstaller.dll, as well as McciCMService that keeps running.
GoogleUpdate also keeps on reappearing even after I quit it under "Task Manager".

Also, no Add-on gives me the option to be Deleted under "Delete ActiveX", not these or any other add-on for that matter.
Any webpage I try to access takes very long and any link I click on goes to the following first: <http://rightbulkselect.com/?q=>
then the tab says "Jumping" and finally goes wherever it wants, not where I had clicked.

Another website that keeps opening is: wwwamnc1.com
There also seems to be erratic hard drive activity. Please help.
*******************************************************

DDS (Ver_09-05-14.01) - NTFSx86
Run by Home at 23:08:48.26 on Sat 06/27/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.98 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Home\reader_s.exe
svchost.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\system32\14.tmp
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Home\My Documents\Spyware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mc381.mail.yahoo.com/mc/welcome?.gx=1&.rand=2vh7qtoe2jnfo
uInternet Connection Wizard,ShellNext = hxxp://www.bible.com/
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: InlineSearchHandleHotKeys Class: {b6ffe2ae-4d12-451f-b457-fe6125ffb1cf} - c:\program files\ieforge\inline search\InlineSearch.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [PPWebCap] c:\progra~1\scansoft\paperp~1\PPWebCap.exe
uRun: [BMUpdate] c:\windows\system32\BMUpdate.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [reader_s] c:\documents and settings\home\reader_s.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRunServices: [RegisterDropHandler] c:\progra~1\textbr~1.0\bin\REGIST~1.EXE
dRun: [reader_s] c:\documents and settings\home\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Search Image on TinEye - file://c:\documents and settings\home\my documents\tineye 1.0\TinEye.js
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Trusted Zone: google.com\www
Trusted Zone: yahoo.com\login
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\betipafe.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\cdzijpht.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mc381.mail.yahoo.com/mc/welcome?.gx=1&.rand=8r2brcsegkt2q#_pg=welcome&&.rand=1901480430&hash=57a9f748b505ccc34cc2b10bcd0988e4&.jsrand=1
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\home\application data\idm\bin\flash\platform\winnt\plugins\npidmdcp.dll
FF - plugin: c:\documents and settings\home\application data\mozilla\firefox\profiles\cdzijpht.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - plugin: c:\program files\openoffice.org 3\program\npsoplugin.dll

============= SERVICES / DRIVERS ===============

R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-6-25 18944]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [2008-10-17 23200]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2003-7-10 15488]
R3 MotuPar;MOTU Parallel MIDI Interface;c:\windows\system32\drivers\motupar.sys [2009-5-21 20992]
S3 MotuMidi;MOTU MIDI Device;c:\windows\system32\drivers\motumidi.sys [2009-5-21 26752]
S4 gupdate1c9c3bbe552a38e;Google Update Service (gupdate1c9c3bbe552a38e);c:\program files\google\update\GoogleUpdate.exe [2009-4-22 133104]
S4 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 859784]

=============== Created Last 30 ================

2009-06-27 22:08 67,584 a------- c:\windows\system32\14.tmp
2009-06-27 22:08 84 a------- c:\windows\system32\11.tmp
2009-06-27 13:05 67,584 a------- c:\windows\system32\12.tmp
2009-06-27 13:05 84 a------- c:\windows\system32\F.tmp
2009-06-27 02:38 67,584 a------- c:\windows\system32\10.tmp
2009-06-27 02:38 84 a------- c:\windows\system32\C.tmp
2009-06-27 01:09 67,584 a------- c:\windows\system32\E.tmp
2009-06-27 01:09 84 a------- c:\windows\system32\9.tmp
2009-06-26 16:19 67,584 a------- c:\windows\system32\A.tmp
2009-06-26 16:19 84 a------- c:\windows\system32\7.tmp
2009-06-26 12:39 67,584 a------- c:\windows\system32\8.tmp
2009-06-26 12:39 84 a------- c:\windows\system32\5.tmp
2009-06-25 16:01 <DIR> --dsh--- c:\documents and settings\home\IECompatCache
2009-06-25 15:59 67,584 a------- c:\windows\system32\D.tmp
2009-06-25 15:59 48,128 a------- c:\windows\system32\reader_s.exe
2009-06-25 15:59 48,128 a------- c:\documents and settings\home\reader_s.exe
2009-06-25 15:59 84 a------- c:\windows\system32\B.tmp
2009-06-25 15:58 <DIR> --dsh--- c:\documents and settings\home\IETldCache
2009-06-25 15:52 <DIR> -cd-h--- c:\windows\ie8
2009-06-25 15:20 67,584 a------- c:\windows\system32\6.tmp
2009-06-25 15:20 84 a------- c:\windows\system32\4.tmp
2009-06-25 14:40 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-06-25 10:22 39,936 ----h--- c:\windows\ld11.exe
2009-06-24 10:51 1 a------- c:\windows\123312sd345fdg.dat
2009-06-23 12:54 <DIR> --d----- c:\program files\sys
2009-06-20 12:53 <DIR> --d----- c:\docume~1\home\applic~1\DVD Flick
2009-06-20 12:53 40,960 a------- c:\windows\system32\ssubtmr6.dll
2009-06-20 12:53 36,864 a------- c:\windows\system32\trayicon_handler.ocx
2009-06-20 12:53 28,672 a------- c:\windows\system32\mousewheel.ocx
2009-06-20 12:53 <DIR> --d----- c:\program files\DVD Flick
2009-06-14 22:50 <DIR> --d----- c:\program files\Finale PrintMusic 2009
2009-06-10 16:14 <DIR> --d----- c:\program files\Finale NotePad 2009
2009-06-06 21:04 <DIR> --d----- c:\program files\MSXML 4.0
2009-06-06 20:18 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-06-06 19:24 <DIR> --d----- c:\program files\iPod
2009-06-06 19:22 <DIR> --d----- c:\program files\Bonjour
2009-06-06 17:54 <DIR> --d----- c:\program files\BestPractice
2009-06-06 00:58 <DIR> --d----- c:\program files\Active Data Recovery Software

==================== Find3M ====================

2009-06-25 14:41 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-22 20:37 158,192 -------- c:\windows\system32\pxwma.dll
2009-05-21 17:31 15,488 a------- c:\windows\system32\drivers\motubus.sys
2009-05-21 17:21 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-03 14:24 1,313,104 a------- c:\docume~1\home\applic~1\setup.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-11-30 22:37 40,112 a------- c:\docume~1\home\applic~1\GDIPFONTCACHEV1.DAT
2001-10-30 07:11 61,440 a------- c:\windows\inf\i386\onetUSD.dll
2001-09-10 09:00 139,264 a------- c:\windows\inf\i386\Rtscan.dll
2001-08-17 18:43 32,768 a------- c:\windows\inf\i386\Wiamicro.dll
2001-06-29 08:10 163,840 a------- c:\windows\inf\i386\viceo.dll

============= FINISH: 23:09:12.26 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 29 June 2009 - 11:34 AM

Hi,

Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 29 June 2009 - 09:52 PM

I am blocked from being able to open the link or even typing it in: http://www.kaspersky.com/virusscanner

The virus blocks all attempts to access any website dealing with this. In Firefox as well as Internet Explorer.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 30 June 2009 - 11:08 AM

Hi,

In that case please upload following files to Virustotal, Jotti orVirscan and post back the results:
c:\windows\system32\lsass.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\svchost.exe

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 30 June 2009 - 01:02 PM

c:\windows\system32\lsass.exe

http://www.virustotal.com/analisis/f7794b5...b501-1246314060
=================================
c:\windows\system32\spoolsv.exe

http://www.virustotal.com/analisis/4da494b...dde0-1246384821
=================================
c:\windows\system32\svchost.exe

http://www.virustotal.com/analisis/2910ebc...cdd5-1246384870

#8 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 30 June 2009 - 04:02 PM

Things are getting worst, and fast. Now there is a RED CIRCLE with a WHITE X in the center in the Taskbar. I no longer have access to Task Manager (Ctrl+Alt+Delete), it gives me a warning "Task Manager has been disabled by your Administrator". I am the Administrator, and there is only my profile since this is my home computer.
I also have no more sound available even when turning up the volumes in the Sound Control Panel. When I raise the lever for the volume it immediately slides back down. The computer will also start to shut-down with a count-down sporadically. This situation is escalating, and fast!

Edited by rawsaxy, 30 June 2009 - 11:59 PM.


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 01 July 2009 - 11:38 AM

Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/VirutThis kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 rawsaxy

rawsaxy
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 01 July 2009 - 02:18 PM

Thank you for your advise. I will reformat and re-install windows then. I hope Microsoft doesn't give me a hard time when I have to enter my Product Key again. This has happened a few times.

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:11 AM

Posted 02 July 2009 - 02:33 AM

You're welcome. Hopefully reformat process goes without problems this time.

Microsoft Windows Insider MVP 2016

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users