Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google and other Search Engine Hijacked


  • This topic is locked This topic is locked
13 replies to this topic

#1 cain97

cain97

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 02 July 2009 - 03:03 PM

Hi there. I've been trying to remove a persistent bit of malware or something that has hijacked my Google searches (and those on Ask.com as well, now). I keep getting redirected to a number of other commercial sites. I've run AVG, Ad Aware, Malwarebytes, Spybot S&D, CCleaner, all to no avail. My main web browser is Opera 9.64.

I would really appreciate any help you can offer.

CAIN

=========================================

DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 13:53:21.17 on Thu 07/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1220 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Multimedia Card Reader\shwiconem.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\multimedia card reader\shwiconem.exe
mRun: [<NO NAME>]
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [MULTIMEDIA KEYBOARD] c:\program files\netropa\multimedia keyboard\MMKeybd.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\timeleft.lnk - c:\program files\timeleft3\TimeLeft.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless utility\Belkinwcui.exe
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: WBSrv - c:\program files\stardock\object desktop\windowblinds\wbsrv.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-18 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-14 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-14 27784]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2008-2-15 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-14 298776]
R2 Cepstral License Server;Cepstral License Server;c:\program files\cepstral\bin\CepstralLicSrv.exe [2007-3-15 57344]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1005904]
R2 nhksrv;Netropa NHK Server;c:\program files\netropa\multimedia keyboard\nhksrv.exe [2008-2-15 28672]
S3 Dmadc0nmnpsw;Dmadc0nmnpsw; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe --> c:\program files\magix\common\database\bin\fbserver.exe [?]

=============== Created Last 30 ================

2009-06-26 09:57 <DIR> --d----- C:\tg-caps
2009-06-24 22:06 <DIR> --d----- c:\program files\WebReaper
2009-06-18 19:26 <DIR> --d----- C:\rachel2
2009-06-18 19:23 <DIR> --d----- C:\otherpics2
2009-06-16 19:24 <DIR> --d----- C:\3d
2009-06-16 19:22 <DIR> --d----- C:\media
2009-06-16 19:20 <DIR> --d----- C:\writing
2009-06-16 19:20 <DIR> --d----- C:\antivirus
2009-06-16 19:19 <DIR> --d----- C:\james-folders
2009-06-14 15:22 <DIR> --d----- C:\cmdcons
2009-06-14 15:20 161,792 a------- c:\windows\SWREG.exe
2009-06-14 15:20 155,136 a------- c:\windows\PEV.exe
2009-06-14 15:20 98,816 a------- c:\windows\sed.exe
2009-06-14 15:20 <DIR> --ds---- C:\ComboFix
2009-06-14 15:20 389,120 a------- c:\windows\system32\CF3459.exe
2009-06-14 14:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 14:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-14 14:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-03 13:08 <DIR> --d----- c:\docume~1\owner\applic~1\CoreFTP
2009-06-03 13:07 <DIR> --d----- c:\program files\CoreFTP
2009-06-03 13:06 <DIR> --d----- c:\program files\SmartFTP Client 3.0 Setup Files

==================== Find3M ====================

2009-06-25 10:27 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 10:27 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-27 17:08 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-30 15:43 73,216 a------- c:\windows\ST6UNST.EXE
2009-04-30 15:43 286,720 -------- c:\windows\Setup1.exe
2009-04-28 22:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 22:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-14 22:42 2,134,016 a------- c:\windows\system32\python26.dll
2008-02-01 23:26 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl0.dat
2008-02-01 23:24 4 ---shr-- c:\docume~1\alluse~1\applic~1\sysqcl1129139270.dat
2009-03-22 16:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032220090323\index.dat

============= FINISH: 13:55:29.39 ===============

Attached Files


Edited by cain97, 02 July 2009 - 03:11 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 07 July 2009 - 02:58 AM

Hello cain97,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 07 July 2009 - 10:37 AM

Thanks! Yes, I still haven't managed to get rid of the problem... here's the HJT log.

============================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:57 AM, on 7/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Multimedia Card Reader\shwiconem.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Multimedia Card Reader\shwiconem.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 5275 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 07 July 2009 - 11:00 AM

Hello,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean.

To disable Ad-Watch:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
3. Uncheck (red X) both items.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea

Edited by teacup61, 07 July 2009 - 11:00 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 07 July 2009 - 02:01 PM

Okay, ComboFix and HijackThis logs...

EDIT: It looks like ComboFix worked - haven't had any hijacks in several searches. Thank you so much for your help! :thumbup2: But if you see anything else in these logs that appears suspicious, I would very much like to know - just in casr.

Thanks again!

CAIN

=========================

ComboFix 09-07-07.03 - Owner 07/07/2009 12:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1982.1563 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\89176.exe
c:\windows\system32\drivers\SKYNETyeqxdlxy.sys
c:\windows\system32\rtc.dat
c:\windows\system32\SKYNETlgaktimp.dll
c:\windows\system32\SKYNETllvypetq.dat
c:\windows\system32\SKYNETsbornuje.dat
c:\windows\system32\SKYNETwqfrhhbp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETpkcmjkoo


((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-06-29 23:18 . 2009-06-29 23:18 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-29 23:18 . 2009-06-29 23:18 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-29 23:18 . 2009-06-29 23:18 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-29 23:17 . 2009-06-29 23:17 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-29 23:17 . 2009-06-29 23:17 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-29 23:16 . 2009-06-29 23:16 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-29 23:16 . 2009-06-29 23:16 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-29 23:14 . 2009-06-29 23:14 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-29 23:13 . 2009-06-29 23:13 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-29 23:13 . 2009-06-29 23:13 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-29 23:13 . 2009-06-29 23:13 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-29 23:11 . 2009-06-29 23:11 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-29 23:11 . 2009-06-29 23:11 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-29 23:11 . 2009-06-29 23:11 0 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-29 23:10 . 2009-06-29 23:10 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-29 23:09 . 2009-06-29 23:09 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-29 23:09 . 2009-06-29 23:09 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-26 15:57 . 2009-06-26 16:23 -------- d-----w- C:\tg-caps
2009-06-25 04:06 . 2009-06-25 04:06 -------- d-----w- c:\program files\WebReaper
2009-06-19 18:46 . 2009-06-19 18:46 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-19 01:26 . 2009-07-07 16:37 -------- d-----w- C:\rachel2
2009-06-19 01:23 . 2009-06-27 19:43 -------- d-----w- C:\otherpics2
2009-06-17 01:24 . 2009-06-17 01:24 -------- d-----w- C:\3d
2009-06-17 01:22 . 2009-06-17 01:24 -------- d-----w- C:\media
2009-06-17 01:20 . 2009-06-17 01:22 -------- d-----w- C:\writing
2009-06-17 01:20 . 2009-06-17 01:22 -------- d-----w- C:\antivirus
2009-06-17 01:19 . 2009-06-17 01:19 -------- d-----w- C:\james-folders
2009-06-15 00:21 . 2009-06-15 00:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-14 20:46 . 2009-06-17 17:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-14 20:46 . 2009-06-19 18:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 20:46 . 2009-06-17 17:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 16:04 . 2007-12-02 22:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Jarte
2009-07-06 04:57 . 2009-05-18 21:40 -------- d-----w- c:\program files\SpeedFan
2009-07-05 18:45 . 2006-06-23 21:23 195000 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-25 16:27 . 2009-04-14 16:55 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 16:27 . 2009-04-14 16:55 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 16:27 . 2009-04-14 16:55 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 02:23 . 2009-02-26 18:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-14 19:13 . 2009-02-26 18:25 -------- d-----w- c:\program files\CCleaner
2009-06-13 20:55 . 2007-02-11 21:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 20:37 . 2008-11-10 07:08 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2009-06-03 19:08 . 2009-06-03 19:08 -------- d-----w- c:\documents and settings\Owner\Application Data\CoreFTP
2009-06-03 19:07 . 2009-06-03 19:07 -------- d-----w- c:\program files\CoreFTP
2009-06-03 19:06 . 2009-06-03 19:06 -------- d-----w- c:\program files\SmartFTP Client 3.0 Setup Files
2009-05-27 23:08 . 2009-05-27 23:08 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-27 23:08 . 2009-03-27 19:45 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-22 23:48 . 2009-05-05 01:46 -------- d-----w- c:\documents and settings\Owner\Application Data\MAXON
2009-05-17 04:11 . 2009-05-16 19:31 -------- d-----w- c:\program files\Celtx
2009-05-16 19:32 . 2009-05-16 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Greyfirst
2009-05-09 17:00 . 2007-04-29 05:55 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-05-09 17:00 . 2007-04-29 05:54 -------- d-----w- c:\program files\BitTorrent
2009-05-08 22:17 . 2009-02-28 02:50 -------- d-----w- c:\program files\TextAloud
2009-05-07 15:32 . 2004-08-12 13:59 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-30 21:43 . 2009-04-30 21:43 286720 ------w- c:\windows\Setup1.exe
2009-04-30 21:43 . 2009-04-30 21:43 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-04-29 04:56 . 2004-08-12 14:09 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-12 13:58 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-22 23:08 . 2009-04-22 23:08 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-22 23:08 . 2009-03-18 23:08 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 12:26 . 2004-08-12 14:09 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-12 14:04 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 04:42 . 2009-04-15 04:42 2134016 ----a-w- c:\windows\system32\python26.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-17 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Multimedia Card Reader\shwiconem.exe" [2004-11-24 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-06-03 172032]
"MULTIMEDIA KEYBOARD"="c:\program files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 180224]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-27 518488]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-10-28 181544]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-05-25 67584]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2005-05-25 53248]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2005-05-25 147456]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft.exe [2009-2-16 1981104]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-6 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2008-05-20 00:01 229376 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 16:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\quake iii\\Quake3\\quake3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6348:TCP"= 6348:TCP:bearshare

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/18/2009 5:08 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/14/2009 10:55 AM 327688]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\Msikbd2k.sys [2/15/2008 12:16 AM 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/14/2009 10:55 AM 298776]
R2 Cepstral License Server;Cepstral License Server;c:\program files\Cepstral\bin\CepstralLicSrv.exe [3/15/2007 2:54 PM 57344]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 1:06 PM 1005904]
R2 nhksrv;Netropa NHK Server;c:\program files\Netropa\Multimedia Keyboard\nhksrv.exe [2/15/2008 12:16 AM 28672]
S3 Dmadc0nmnpsw;Dmadc0nmnpsw; [x]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe --> c:\program files\MAGIX\Common\Database\bin\fbserver.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:08]

2009-07-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-2111687655-682003330-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-17 00:40]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-448539723-2111687655-682003330-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-17 00:40]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 12:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-448539723-2111687655-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DB0DDAFD-C2D4-D5F1-DE1F-36381D9FA21F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iagkopddlpebnhalde"=hex:69,61,67,6c,6d,6f,62,6a,61,6f,6c,6e,6c,6d,6a,6d,70,6e,
00,00
"hamhekapfjbiiiik"=hex:6a,61,70,6c,70,64,6b,6c,67,6e,6c,6c,70,68,65,68,62,6a,
6a,61,00,d3

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DB0DDAFD-C2D4-D5F1-DE1F-36381D9FA21F}\InProcServer32*]
"jaalcoajkiepcmaglakn"=hex:69,61,67,6c,6d,6f,62,6a,61,6f,6c,6e,6c,6d,6a,6d,70,
6e,00,00
"iaalmnchlaaghbeeci"=hex:6a,61,70,6c,70,64,6b,6c,67,6e,6c,6c,70,68,65,68,62,6a,
6a,61,00,d3
"cbalfpmglidljnlcinnknoddjbegneaffmacek"=hex:63,62,70,6c,62,65,67,6d,65,6e,64,
67,6c,6e,6c,62,64,6a,70,69,6c,70,62,63,68,6e,70,63,6d,64,6e,6f,65,65,6d,6a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
.
Completion time: 2009-07-07 12:53
ComboFix-quarantined-files.txt 2009-07-07 18:51

Pre-Run: 29,935,591,424 bytes free
Post-Run: 29,920,665,600 bytes free

188 --- E O F --- 2009-06-11 01:16


=======================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:35 PM, on 7/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\CF4696.exe
C:\WINDOWS\PEV.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Multimedia Card Reader\shwiconem.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - Unknown owner - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe (file missing)
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

--
End of file - 4579 bytes

Edited by cain97, 07 July 2009 - 02:41 PM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 08 July 2009 - 10:46 AM

Hello,

Good to know it's better. :)

I see you have MBAM already.....please run a scan with it, if you haven't since you ran ComboFix, and post the report in your reply. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 09 July 2009 - 10:07 PM

Okay, here's the log... thanks again for your help! :thumbup2:

CAIN

=======================

Malwarebytes' Anti-Malware 1.38
Database version: 2401
Windows 5.1.2600 Service Pack 3

7/9/2009 8:36:24 PM
mbam-log-2009-07-09 (20-36-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 363333
Time elapsed: 3 hour(s), 5 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\system32\SKYNETwqfrhhbp.dll.vir (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{76e69bd3-e260-4941-ac95-e2feeaf42612}\RP0\A0000002.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 10 July 2009 - 08:02 AM

Hello,

You're welcome, and thanks for the report. :thumbup2:

Neither of those is a threat to you, so no worries. There is a file I'd like to check on. Looks bad, but I want to be sure before I ask you to delete it. :)

Please navigate to the following file:

c:\windows\system32\wbsys.dll

Please go to VirusTotal and submit the file for a scan and post the results in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 July 2009 - 01:15 PM

Here is the VirusTotal result:

File has already been analysed:MD5: 58ab659849b3d4ac37f784c1af113990
First received: 2007.10.06 20:08:17 UTC
Date: 2009.07.10 07:44:36 UTC [<1D]
Results: 0/41
Permalink: analisis/af28d1beb5e78fe0a950c6d1c1781387be6f8d5452346e2b95a67716438e8c9c-1247211876

==========================

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.10 -
AhnLab-V3 5.0.0.2 2009.07.09 -
AntiVir 7.9.0.204 2009.07.10 -
Antiy-AVL 2.0.3.1 2009.07.10 -
Authentium 5.1.2.4 2009.07.09 -
Avast 4.8.1335.0 2009.07.09 -
AVG 8.5.0.387 2009.07.09 -
BitDefender 7.2 2009.07.10 -
CAT-QuickHeal 10.00 2009.07.10 -
ClamAV 0.94.1 2009.07.09 -
Comodo 1601 2009.07.10 -
DrWeb 5.0.0.12182 2009.07.10 -
eSafe 7.0.17.0 2009.07.09 -
eTrust-Vet 31.6.6606 2009.07.09 -
F-Prot 4.4.4.56 2009.07.09 -
F-Secure 8.0.14470.0 2009.07.10 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.10 -
Ikarus T3.1.1.64.0 2009.07.10 -
Jiangmin 11.0.706 2009.07.09 -
K7AntiVirus 7.10.788 2009.07.09 -
Kaspersky 7.0.0.125 2009.07.10 -
McAfee 5671 2009.07.09 -
McAfee+Artemis 5671 2009.07.09 -
McAfee-GW-Edition 6.8.5 2009.07.10 -
Microsoft 1.4803 2009.07.10 -
NOD32 4230 2009.07.10 -
Norman 6.01.09 2009.07.09 -
nProtect 2009.1.8.0 2009.07.10 -
Panda 10.0.0.14 2009.07.09 -
PCTools 4.4.2.0 2009.07.09 -
Prevx 3.0 2009.07.10 -
Rising 21.37.41.00 2009.07.10 -
Sophos 4.43.0 2009.07.10 -
Sunbelt 3.2.1858.2 2009.07.10 -
Symantec 1.4.4.12 2009.07.10 -
TheHacker 6.3.4.3.363 2009.07.08 -
TrendMicro 8.950.0.1094 2009.07.10 -
VBA32 3.12.10.8 2009.07.10 -
ViRobot 2009.7.10.1828 2009.07.10 -
VirusBuster 4.6.5.0 2009.07.09 -
Additional information
File size: 42672 bytes
MD5 : 58ab659849b3d4ac37f784c1af113990
SHA1 : b4bd0552e335f13cea8b974e76bad975316b56a3
SHA256: af28d1beb5e78fe0a950c6d1c1781387be6f8d5452346e2b95a67716438e8c9c
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16B9
timedatestamp.....: 0x3E5D314E (Wed Feb 26 22:27:42 2003)
machinetype.......: 0x14C (Intel I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x36FC 0x4000 6.20 da1cae375c43a63910604d021c0780a3
.rdata 0x5000 0xA20 0x1000 3.89 7ed638590e745b13df2c6674a26ffc45
.data 0x6000 0x1080 0x1000 2.05 3ebcbaad2b7707bf8608c99820ee45c5
.rsrc 0x8000 0x43C 0x1000 1.13 0aafb04508ea32ef1da3869cdeb43dee
.reloc 0x9000 0xB32 0x1000 2.67 80f54ef3e0e54d76529a65246b9109e1

( 2 imports )

> advapi32.dll: RegCreateKeyA, RegCloseKey, RegQueryValueExA
> kernel32.dll: GetCurrentProcess, LoadLibraryA, GetProcAddress, IsBadReadPtr, IsBadWritePtr, GetModuleHandleA, HeapDestroy, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, TlsGetValue, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, WriteProcessMemory, HeapCreate, VirtualFree, HeapFree, WriteFile, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapAlloc, GetCPInfo, GetACP, GetOEMCP, VirtualAlloc, HeapReAlloc, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, RtlUnwind

( 0 exports )
TrID : File type identification
62.5% (.EXE) Win64 Executable Generic (85619/45/3)
22.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
6.2% (.EXE) Win32 Executable Generic (8527/13/3)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (7583/30/2)
1.4% (.EXE) Generic Win/DOS Executable (2002/3)
ssdeep: 768:OxALTsG2A9ygnIXmbFQ1gNJEWqfn+HXnnlHiL3c:O6LTsG2A4gn1BSg3qP+HXnnY
PEiD : Armadillo v1.xx - v2.xx
CWSandbox: http://research.sunbelt-software.com/partn...7f784c1af113990
RDS : NSRL Reference Data Set
-

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 10 July 2009 - 01:17 PM

Very good. :thumbup2: How is it running please? Any crashes?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 July 2009 - 01:23 PM

Nope - running just fine now. No crashes, no hijacks, nothing out of the ordinary.

Thank you so much for your help on this - I was afraid I'd have to reformat and reinstall XP. You've saved me an awful lot of work and time.

I appreciate your walking me through this! :thumbup2:

CAIN

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 10 July 2009 - 01:35 PM

Excellent to know, and you're most welcome. :thumbup2: I know it's frustrating and sometimes scary......and I'm a total stranger asking you to trust me.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

MBAM should come up clean now. :) If you haven't already, be sure to re enable Tea Timer and Ad Watch.

Great tips and info-----> http://mvps.org/winhelp2002/unwanted.htm

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 cain97

cain97
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 10 July 2009 - 07:50 PM

I'm typing this from my backup laptop...

Well, I think I forgot to re-enable some part of my antivirus protection... :thumbup2: Any more scans have become irrelevant thanks to a bonehead move on my part. I ended up with some bogus XP antivirus program which prevented me from opening any other antivirus programs, and when I tried to boot in safe mode it locked up. Now it won't boot at all, so I'm doing a full format and reinstall of XP.

I'm sorry you worked so much with me only to have me screw it all up. I'll try to be more careful in the future. :)

Thank you for all your help.

CAIN

Edited by cain97, 10 July 2009 - 07:51 PM.


#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 AM

Posted 14 July 2009 - 11:54 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users