Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searches redirected - Striking Offers, Ave99, etc.


  • This topic is locked This topic is locked
11 replies to this topic

#1 bendylson

bendylson

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 08 July 2009 - 10:27 AM

Hello again wonderful helpers. I've got a desktop that keeps redirecting to various mystery IPs, with names like Striking Offers, Ave99, UpliftSearchetc. Previously, I was getting the AntiVirus System PRO pop-ups on my desktop and used both MBAM and HJT to remove the Trojan files and registry items. Since then, I've run MBAM several times and am getting no malicious items but still getting the redirects. I do notice some odd items in the DDS log, but would prefer to have some professional guidance before going off all half-cocked.

You're careful assistance would be most appreciated. Thank you in advance.

My DDS files are below and attached. I can also send a recent HJT scan if necessary.


DDS (Ver_09-06-26.01) - NTFSx86
Run by bsonnet at 11:11:02.76 on Wed 07/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2733 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k sfx
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\FedEx\FedEx Desktop\FedEx Desktop.exe
C:\Program Files\iPod\bin\iPodService.exe
svchost
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\bsonnet\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
StartupFolder: c:\docume~1\bsonnet\startm~1\programs\startup\fedexd~1.lnk - c:\program files\fedex\fedex desktop\FedEx Desktop.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1246300071352
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\google\google~4\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bsonnet\applic~1\mozilla\firefox\profiles\6yzjd6ik.default\
FF - prefs.js: browser.startup.homepage - igoogle.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R?2 sfx;sfx;c:\windows\system32\svchost.exe -k sfx [2008-4-14 14336]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R1 sfxdrv;sfxdrv;c:\program files\sfx\sfx.sys [2009-7-7 9472]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-2-29 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-2-29 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-3-12 1221864]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090703.004\naveng.sys [2009-7-3 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090703.004\navex15.sys [2009-7-3 876144]
S2 gupdate1c9f8ec6642e83d;Google Update Service (gupdate1c9f8ec6642e83d);c:\program files\google\update\GoogleUpdate.exe [2009-6-29 133104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-2-29 87160]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-6-29 30192]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-3-12 169192]

=============== Created Last 30 ================

2009-07-07 11:57 <DIR> --d----- c:\program files\Trend Micro
2009-07-07 11:23 1 a------- c:\windows\934fdfg34fgjf23
2009-07-07 11:23 <DIR> --d----- c:\program files\sfx
2009-07-06 11:22 <DIR> --d----- c:\docume~1\bsonnet\applic~1\FedEx
2009-07-06 11:22 <DIR> --d----- c:\docume~1\bsonnet\applic~1\FedExDesktop.026F9BDCA0F141E500950436A5D33181EE6B8EF5.1
2009-07-06 11:22 <DIR> --d----- c:\program files\FedEx
2009-07-01 18:51 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-07-01 18:51 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-07-01 18:51 <DIR> --d----- c:\program files\common files\DivX Shared
2009-07-01 18:51 <DIR> --d----- c:\program files\DivX
2009-07-01 14:04 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Windows Search
2009-07-01 13:22 <DIR> --d----- c:\program files\Samsung
2009-06-30 14:32 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-30 14:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-30 14:31 <DIR> --d----- c:\program files\iPod
2009-06-30 14:31 <DIR> --d----- c:\program files\iTunes
2009-06-30 14:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-30 14:31 <DIR> --d----- c:\program files\Bonjour
2009-06-30 14:04 <DIR> --d----- c:\docume~1\bsonnet\applic~1\TuneUpMedia
2009-06-30 14:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUpMedia
2009-06-30 11:02 87,608 a------- c:\docume~1\bsonnet\applic~1\inst.exe
2009-06-30 11:02 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-06-30 11:02 47,360 a------- c:\docume~1\bsonnet\applic~1\pcouffin.sys
2009-06-30 11:02 1,184,984 a------- c:\windows\system32\wvc1dmod.dll
2009-06-30 11:02 626,688 a------- c:\windows\system32\vp7vfw.dll
2009-06-30 11:02 217,127 a------- c:\windows\system32\drv43260.dll
2009-06-30 11:02 208,935 a------- c:\windows\system32\drv33260.dll
2009-06-30 11:02 176,165 a------- c:\windows\system32\drv23260.dll
2009-06-30 11:02 102,439 a------- c:\windows\system32\sipr3260.dll
2009-06-30 11:02 65,602 a------- c:\windows\system32\cook3260.dll
2009-06-30 11:02 <DIR> --d----- c:\program files\VSO
2009-06-30 09:44 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Teleca
2009-06-29 18:46 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Malwarebytes
2009-06-29 18:46 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-29 18:46 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-29 18:46 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 18:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-29 16:17 562,280 a------- c:\windows\system32\Cfx4032.ocx
2009-06-29 16:17 317,952 a------- c:\windows\system32\ROBOEX32.DLL
2009-06-29 16:17 244,232 a------- c:\windows\system32\MSFLXGRD.OCX
2009-06-29 16:17 140,096 a------- c:\windows\system32\COMDLG32.OCX
2009-06-29 16:17 133,904 a------- c:\windows\system32\mfcans32.dll
2009-06-29 16:17 115,016 a------- c:\windows\system32\Msinet.ocx
2009-06-29 16:17 109,056 a------- c:\windows\system32\mfcuiw32.dll
2009-06-29 16:17 108,032 a------- c:\windows\system32\mfcuia32.dll
2009-06-29 16:17 119,296 a------- c:\windows\system32\SfxBar.dll
2009-06-29 15:35 89,088 a------- c:\windows\system32\atl71.dll
2009-06-29 15:13 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-06-29 15:12 <DIR> --d----- c:\program files\common files\SureThing Shared
2009-06-29 15:12 99,176 a------- c:\windows\system32\drivers\DRVMCDB.SYS
2009-06-29 15:12 92,920 a------- c:\windows\DLA.EXE
2009-06-29 15:12 56,056 a------- c:\windows\system32\DLAAPI_W.DLL
2009-06-29 15:12 51,768 a------- c:\windows\system32\drivers\DRVNDDM.SYS
2009-06-29 15:12 28,184 a------- c:\windows\system32\drivers\DLARTL_M.SYS
2009-06-29 15:12 12,920 a------- c:\windows\system32\drivers\DLACDBHM.SYS
2009-06-29 15:12 168 a------- c:\windows\wininit.ini
2009-06-29 15:12 <DIR> --d----- c:\windows\system32\DLA
2009-06-29 15:12 <DIR> --d----- c:\program files\Roxio
2009-06-29 15:07 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Sony Ericsson
2009-06-29 15:07 <DIR> --d----- c:\program files\common files\Sony Ericsson Shared
2009-06-29 15:07 <DIR> --d----- c:\program files\common files\Teleca Shared
2009-06-29 15:07 <DIR> --d----- c:\program files\Sony Ericsson
2009-06-29 15:07 <DIR> --d----- c:\windows\Downloaded Installations
2009-06-29 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Teleca
2009-06-29 14:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Ericsson
2009-06-29 14:56 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-06-29 14:56 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-06-29 14:53 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Acoustica
2009-06-29 14:53 <DIR> --d----- c:\program files\Acoustica CD Label Maker
2009-06-29 14:47 6,272 ac------ c:\windows\system32\dllcache\splitter.sys
2009-06-29 14:47 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-06-29 14:47 83,072 ac------ c:\windows\system32\dllcache\wdmaud.sys
2009-06-29 14:47 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-06-29 14:47 52,864 ac------ c:\windows\system32\dllcache\dmusic.sys
2009-06-29 14:47 52,864 a------- c:\windows\system32\drivers\DMusic.sys
2009-06-29 14:47 56,576 ac------ c:\windows\system32\dllcache\swmidi.sys
2009-06-29 14:47 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-06-29 14:47 142,592 ac------ c:\windows\system32\dllcache\aec.sys
2009-06-29 14:47 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-06-29 14:47 172,416 ac------ c:\windows\system32\dllcache\kmixer.sys
2009-06-29 14:47 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-06-29 14:46 <DIR> --d----- c:\program files\SigmaTel
2009-06-29 14:40 <DIR> --d----- c:\program files\uTorrent
2009-06-29 14:40 <DIR> --d----- c:\docume~1\bsonnet\applic~1\uTorrent
2009-06-29 14:39 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-06-29 14:38 278,584 a------- c:\windows\system32\HPZidr12.dll
2009-06-29 14:38 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-06-29 14:38 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-06-29 14:38 69,632 a------- c:\windows\system32\HPZipm12.exe
2009-06-29 14:38 61,440 a------- c:\windows\system32\HPZinw12.exe
2009-06-29 14:38 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-06-29 14:38 306,688 a------- c:\windows\IsUninst.exe
2009-06-29 14:38 <DIR> --d----- c:\program files\HP
2009-06-29 14:37 69,443 a------- c:\windows\hpoins05.dat
2009-06-29 14:37 19,696 -------- c:\windows\hpomdl05.dat
2009-06-29 14:37 51,120 a------- c:\windows\system32\drivers\HPZid412.sys
2009-06-29 14:37 21,744 a------- c:\windows\system32\drivers\HPZius12.sys
2009-06-29 14:37 16,496 a------- c:\windows\system32\drivers\HPZipr12.sys
2009-06-29 14:37 581,632 a------- c:\windows\system32\hpotscl.dll
2009-06-29 14:37 278,528 a------- c:\windows\system32\hpgwiamd.dll
2009-06-29 14:37 274,432 a------- c:\windows\system32\HPZc3212.dll
2009-06-29 14:37 229,376 a------- c:\windows\system32\hpovst08.dll
2009-06-29 14:37 393,216 a------- c:\windows\system32\hpzcon12.dll
2009-06-29 14:37 196,608 a------- c:\windows\system32\hpzcoi12.dll
2009-06-29 14:37 139,345 a------- c:\windows\system32\hpzlnt12.dll
2009-06-29 14:36 <DIR> --d----- c:\temp\HP_WebRelease
2009-06-29 14:36 <DIR> --d----- C:\Temp
2009-06-29 14:30 <DIR> --d----- c:\windows\system32\PreInstall
2009-06-29 14:30 <DIR> --d-h--- c:\windows\$hf_mig$
2009-06-29 14:28 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-06-29 14:28 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-06-29 14:28 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-06-29 14:28 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-06-29 14:28 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-06-29 14:27 <DIR> --ds---- c:\documents and settings\bsonnet\UserData
2009-06-29 12:37 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Flickr
2009-06-29 12:29 <DIR> --d----- c:\program files\Flickr Uploadr
2009-06-29 11:26 <DIR> --d----- C:\dell
2009-06-29 11:10 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-06-29 11:10 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-06-29 11:10 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-06-29 11:07 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-06-29 11:07 14,736 a------- c:\windows\system32\drivers\nuidfltr.sys
2009-06-29 11:07 <DIR> --d----- c:\program files\Microsoft IntelliType Pro
2009-06-29 09:37 <DIR> --d----- c:\docume~1\bsonnet\applic~1\Windows Desktop Search
2009-06-29 09:37 <DIR> --d----- c:\documents and settings\bsonnet
2009-06-29 09:36 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-06-29 09:36 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-06-26 16:51 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-06-26 16:51 <DIR> --d----- c:\program files\Windows Desktop Search
2009-06-26 16:51 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-06-26 16:37 3,248 a------- c:\windows\system32\wbem\Outlook_01c9f69ddbd80bbb.mof
2009-06-26 16:36 83,168 a------- c:\windows\system32\S32EVNT1.DLL
2009-06-26 16:36 82,832 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-06-26 16:35 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-06-26 14:21 <DIR> --d----- C:\email
2009-06-26 13:21 <DIR> --d----- c:\windows\SchCache
2009-06-26 12:59 0 a------- c:\windows\VPC32.INI
2009-06-26 12:57 <DIR> --d----- c:\program files\Symantec
2009-06-26 12:57 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-06-26 12:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-06-26 12:42 132,608 ac------ c:\windows\system32\dllcache\b57xp32.sys
2009-06-26 12:42 132,608 a----r-- c:\windows\system32\drivers\b57xp32.sys
2009-06-26 12:42 <DIR> --d----- c:\program files\Broadcom
2009-06-26 12:42 <DIR> --d----- c:\program files\ATI Technologies
2009-06-26 12:39 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-06-25 18:47 32,592 a------- c:\windows\system32\msonpmon.dll
2009-06-25 18:43 <DIR> --d----- c:\windows\SHELLNEW
2009-06-25 18:42 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-06-25 18:42 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-06-25 18:37 <DIR> --ds---- c:\windows\system32\Microsoft
2009-06-25 15:09 8,192 a------- c:\windows\REGLOCS.OLD
2009-06-25 15:06 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-06-25 15:05 23,392 a------- c:\windows\system32\nscompat.tlb
2009-06-25 15:05 16,832 a------- c:\windows\system32\amcompat.tlb
2009-06-25 15:05 316,640 a------- c:\windows\WMSysPr9.prx
2009-06-25 15:05 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-06-25 15:05 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-06-25 15:05 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-06-25 15:05 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-06-25 15:05 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-06-25 15:04 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-06-25 15:04 <DIR> --d----- c:\program files\common files\MSSoap
2009-06-25 15:02 <DIR> --d----- c:\program files\Online Services
2009-06-25 15:02 <DIR> --d----- c:\program files\Messenger
2009-06-25 15:02 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-06-25 15:02 <DIR> --d----- c:\program files\Windows NT
2009-06-25 10:55 <DIR> --d----- c:\program files\common files\ODBC
2009-06-25 10:55 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-06-25 10:54 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-06-25 19:01 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-25 15:03 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-05-01 17:03 129,784 -------- c:\windows\system32\PxAFS.DLL
2009-05-01 17:02 90,112 a------- c:\windows\system32\dpl100.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-05-01 17:02 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-05-01 17:02 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-05-01 17:02 811,008 a------- c:\windows\system32\divx_xx16.dll
2009-05-01 17:02 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-05-01 17:02 685,056 a------- c:\windows\system32\DivX.dll

============= FINISH: 11:11:21.89 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 17 July 2009 - 12:32 PM

Hello bendylson,

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 bendylson

bendylson
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 20 July 2009 - 09:41 AM

Please do not worry about the delay! I appreciate your being able to assist in any way possible. I was on vacation Friday when you responded and am just getting back to the office - sorry for my own delay in that regard.

Since I last posted, I've continued to see problems on the computer - most notably Trojans, high number of processes running and inability to delete certain unwanted files. I've run MBAM and GMER but those either don't find anything or can't repair the items found. Also, since this is a company computer, Symantec AntiVirus is required to be on the computer - but I have a feeling it's a copy that was torrent-downloaded so as to save money and may be the cause of some of the problems. At any rate, I just re-ran HJT and the log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:02 AM, on 7/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: FedEx Desktop.lnk = C:\Program Files\FedEx\FedEx Desktop\FedEx Desktop.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1246300071352
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eastbanc.local
O17 - HKLM\Software\..\Telephony: DomainName = eastbanc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eastbanc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eastbanc.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9f8ec6642e83d) (gupdate1c9f8ec6642e83d) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10181 bytes


Thanks in advance - I look forward to working with you to resolve this problem.

Benjamin

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 20 July 2009 - 07:11 PM

Hello Benjamin,

What you have would not be found by MBAM.....it looks for different things in different places. It is an excellent and top notch program, but it isn't what's needed here. :thumbup2:

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 bendylson

bendylson
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 21 July 2009 - 10:08 AM

I have disabled everything, but rtvscan.exe is still an active process and can't be ended manually. Is this ok?

#6 bendylson

bendylson
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 21 July 2009 - 02:34 PM

Ran Combofix but it has been stuck at "Rebooting Windows . . . Please wait" for the last hour at least. Any suggestions?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 21 July 2009 - 04:41 PM

Hello,

If you haven't already, then reboot your computer. The log should be in the ComboFix folder in C:\ComboFix :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 bendylson

bendylson
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 22 July 2009 - 08:36 AM

Upon rebooting, there was no C:\Combofix folder, but there is a Qoobox folder. There is a Combofix icon, but when I click, it just redirects me to the My Computer page.

Also, Internet Explorer was reinstalled and marked as the Default Web Browser. Also, there are even more processes running now than before: multiple three lettered ***.exe files, svchosts, searchprotocolhosts, etc...

I feel the computer is worse now than before :-(

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 24 July 2009 - 09:07 PM

Hello,

Please post the contents of the Qoobox quarantine so I can see what ComboFix did. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 bendylson

bendylson
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wash DC
  • Local time:06:57 PM

Posted 31 July 2009 - 09:34 AM

Sorry - I never realized you had replied!!

The .txt file in the Qoobox folder is empty, but there are several files:

"inst.exe.vir" from 2 different locations

"Legacy_SFX.reg.dat"
"Legacy_SFXDRV.reg.dat"
"Service_drv.reg.dat"
"Service_sfx.reg.dat"
"Service_sfxdrv.reg.dat"
"tcpip.reg"


The reason I logged back in was because I was going to ask for further assistance. Anti-Virus System Pro is back and pop-ups are filling my screen. I cannot use MBAM, or any other program. I am going to send this reply and reboot because I can't see the screen with all of the pop-ups. and I do not want to click on any of them - asI know that will only make it worse.

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 01 August 2009 - 06:12 AM

Hello,

Have you tried to run ComboFix any more? If not, please delete the copy you have now and download another :

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If it still won't run, then please do the following:

Please navigate to the download page of Avira AntiRootkit and click on Download to save it to your Destop.
  • You should now find a file called: antivir_rootkit.zip on your Desktop.
  • Extract the file to your Desktop (you may then delete the zip file).
  • You should now have a folder with Setup.exe and some other files within it on your Desktop.
  • Double-click Setup.exe.
  • Click Next.
  • Highlight the radio button to acceppt the license agreement and then click Next.
  • Then click Next and Install to finalise the installation process.
  • Click Finish (you may now also delete the folder with the extracted files from the zip archive)
You successfully installed Avira AntiRootkit!
  • Please now navigate to Start > All Programs > Avira RootKit Detection. Then select: Avira RootKit Detection
  • Click OK when a message window pops up
  • Click Start scan and let it run
  • Click View report and copy the entire contents into your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:57 PM

Posted 25 August 2009 - 08:49 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users