Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware byres won't start, ad aware quits a few seconds into scan, yellow box bottom right corner says anti virus turned off, multiple web site popup


  • Please log in to reply
1 reply to this topic

#1 mountain_angel

mountain_angel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:56 PM

Posted 23 September 2009 - 05:58 PM

First of all, thank you very much for the help you provide for free. Not many people would do this type of work for free and it greatly appreciated. I am having multiple problems and I am unsure if they are related or not. The first thing I noticed was a very slowly running internet. So i go to scan with MalWare Bytes and Norton to check for problems. Norton find nothng, malware won't open at all. Not even from the main folder.
So I download Adaware to see if it finds anything. It will run about 6 seconds and then shuts down.
I try safe mode to no avail. The first time I try safe mde i get a win32 error that says a file is missing. The second time it does start in safe mode. Malware still won't open, Adaware won't run more than a few seconds.
I also noticed, maybe 3 or 4 times, a yellow box in the bottom right corner pop up telling me something to the effect that my anti virus is disabled. I did not write down the exact messgae but will next time I see it.
A few times, a new internet explorer window would open, onewith a "media2." something address, the other was an ad site for a malware/virus scanner they want you to buy. Again, if it pops up again I will get exact info.
I do run Norton and malware fairly frequetly and have built in firewall on. But we do download quite a bit, mainly music.
Attach and ARK txt files attached as requested.

DDS.txt log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Compaq_Owner at 18:22:08.31 on Wed 09/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2039.1410 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32svchost.exe -k imgsvc
C:PROGRA~1SYMANT~1VPTray.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSALCXMNTR.EXE
C:WINDOWSAGRSMMSG.exe
c:windowssystemhpsysdrv.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Documents and SettingsCompaq_Owner.RASCALLocal SettingsTemporary Internet FilesContent.IE5A0EKIAM2dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 6.0readeractivexAcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [MSMSGS] "c:program filesmessengermsmsgs.exe" /background
uRun: [A00F32FA1C.exe] c:docume~1compaq~1.raslocals~1temp_A00F32FA1C.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [HPBootOp] "c:program fileshewlett-packardhp boot optimizerHPBootOp.exe" /run
mRun: [LSBWatcher] c:hpdrivershplsbwatcherlsburnwatcher.exe
mRun: [ccApp] "c:program filescommon filessymantec sharedccApp.exe"
mRun: [vptray] c:progra~1symant~1VPTray.exe
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:program filescommon filesroxio shared9.0sharedcomRoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
IE: E&xport to Microsoft Excel - c:progra~1mi1933~1office10EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:windowspchealthhelpctrvendorscn=hewlett-packard,l=cupertino,s=ca,c=usiebuttonsupport.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1mi1933~1office11REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Notify: 1053f4a5670 - c:windowssystem32dpcdll32.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:windowssystem32NavLogon.dll
Notify: __c00458C1 - c:windowssystem32__c00458C1.dat
AppInit_DLLs: c:windowssystem32dpcdll32.dll
SEH: {FA010552-4A27-4cb1-A1BB-3E2D697F1639} - No File

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-9-23 64160]
R1 SAVRT;SAVRT;c:program filessymantec antivirussavrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:program filessymantec antivirusSavrtpel.sys [2006-9-6 54968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-7-3 1028432]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2009-8-28 102448]
R3 NAVENG;NAVENG;c:progra~1common~1symant~1virusd~120090918.003naveng.sys [2009-9-18 84912]
R3 NAVEX15;NAVEX15;c:progra~1common~1symant~1virusd~120090918.003navex15.sys [2009-9-18 1323568]
S2 ccEvtMgr;Symantec Event Manager;c:program filescommon filessymantec sharedccEvtMgr.exe [2006-7-19 192160]
S2 ccSetMgr;Symantec Settings Manager;c:program filescommon filessymantec sharedccSetMgr.exe [2006-7-19 169632]
S2 Symantec AntiVirus;Symantec AntiVirus;c:program filessymantec antivirusRtvscan.exe [2006-9-27 1813232]
S3 SavRoam;SAVRoam;c:program filessymantec antivirusSavRoam.exe [2006-9-27 116464]

=============== Created Last 30 ================

2009-09-23 17:51 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-09-23 17:51 19,096 a------- c:windowssystem32driversmbam.sys
2009-09-23 17:51 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-09-23 17:34 64,160 a------- c:windowssystem32driversLbd.sys
2009-09-23 17:31 <DIR> -cd-h--- c:docume~1alluse~1applic~1{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-23 17:30 <DIR> --d----- c:program filesLavasoft
2009-09-23 07:31 27,648 a------- c:windowssystem32__c00458C1.dat
2009-09-22 19:38 17,851 a------- c:windowsGnuHashes.ini
2009-09-22 19:30 1,283 a--sh--- c:windowssystem32GroupPolicy000.dat
2009-09-22 19:30 <DIR> --dsh--- c:windowssystem32LocalService
2009-09-22 19:30 523,264 a--sh--- c:windowssystem323F.tmp
2009-09-22 19:30 123,904 a------- c:windowssystem32dpcdll32.dll
2009-09-22 14:26 411,368 a------- c:windowssystem32deploytk.dll
2009-09-22 14:26 73,728 a------- c:windowssystem32javacpl.cpl
2009-09-13 18:21 <DIR> --d--r-- c:docume~1compaq~1.rasapplic~1Brother
2009-09-13 13:05 <DIR> --d----- C:FAST_AND_FURIOUS
2009-09-10 17:03 30,592 a---h--- c:windowssystem32mlfcache.dat
2009-09-06 11:42 <DIR> --d----- c:program filesRingJone
2009-09-01 20:31 <DIR> --d----- c:docume~1compaq~1.rasapplic~1Blackberry Desktop
2009-09-01 18:54 <DIR> --d----- c:program filesMSXML 6.0
2009-08-31 20:22 256 a------- c:windowssystem32pool.bin
2009-08-31 20:00 26,496 a----r-- c:windowssystem32driversRimSerial.sys
2009-08-31 19:20 526 a------- c:windowssystem32__c00FE70A.exe
2009-08-31 17:45 526 a------- c:windowssystem32__c001423D.exe
2009-08-31 17:43 526 a------- c:windowssystem32__c0029D71.exe
2009-08-31 17:37 526 a------- c:windowssystem32__c0091F0B.exe
2009-08-31 17:33 526 a------- c:windowssystem32__c00A7A3E.exe
2009-08-31 17:31 526 a------- c:windowssystem32__c00BD571.exe
2009-08-30 20:10 526 a------- c:windowssystem32__c00D30A4.exe
2009-08-30 10:11 0 a------- c:windowssystem321F.tmp
2009-08-29 20:00 615 a------- c:windowssystem328BIcEAXptv5wH.vbs
2009-08-29 19:59 615 a------- c:windowssystem327VYNc96.vbs

==================== Find3M ====================

2009-09-09 15:40 150 a------- c:docume~1compaq~1.rasapplic~1wklnhst.dat
2009-08-19 16:10 33,688 a------- c:docume~1compaq~1.rasapplic~1GDIPFONTCACHEV1.DAT
2009-08-10 20:15 1,864 a--shr-- c:windowssystem32drivers103C_HP_CPC_PX787AA-ABA SR1503WM NA530_YC_0Pres_QCNH524_E53NAheRED2_47_IGuppy_SASUSTek Computer INC._V1.03_B3.08_T050509_WXH2_L409_M1272_J80_7Intel_8Celeron_92.93_#050925_N10EC8139_Z11C1048C_G80862562.MRK
2009-08-10 09:47 10,145 a------- c:windowsosade.exe
2009-08-10 09:47 16,721 a------- c:docume~1alluse~1applic~1olabimy.bin
2009-08-10 09:47 13,184 a------- c:program filescommon filesigimilip._sy
2009-08-10 09:47 10,755 a------- c:program filescommon fileshohegyvih.reg
2009-08-10 09:47 10,612 a------- c:program filescommon filesihysik.sys
2009-08-10 06:44 19,661 a------- c:windowsnugisitigo.bin
2009-08-10 06:44 10,600 a------- c:program filescommon fileslilojo.dll
2009-08-10 06:44 10,417 a------- c:program filescommon filesufemigon.scr
2009-08-09 23:07 19,924 a------- c:windowseweneja.bat
2009-08-09 23:07 18,530 a------- c:program filescommon filestakitybod.sys
2009-08-09 23:07 14,676 a------- c:docume~1alluse~1applic~1epexumazus.vbs
2009-08-09 23:07 13,826 a------- c:program filescommon filesnovefazow.lib
2009-08-09 23:07 13,315 a------- c:windowspagefy.dll
2009-08-09 23:07 11,326 a------- c:program filescommon fileshuqyva.dl
2009-08-05 05:11 204,800 a------- c:windowssystem32mswebdvd.dll
2009-08-05 05:11 204,800 a------- c:windowssystem32dllcachemswebdvd.dll
2009-07-29 00:53 119,808 a------- c:windowssystem32t2embed.dll
2009-07-29 00:53 119,808 a------- c:windowssystem32dllcachet2embed.dll
2009-07-29 00:53 82,432 a------- c:windowssystem32fontsub.dll
2009-07-29 00:53 82,432 a------- c:windowssystem32dllcachefontsub.dll
2009-07-19 18:48 11,067,392 -------- c:windowssystem32dllcacheieframe.dll
2009-07-19 09:18 5,937,152 a------- c:windowssystem32dllcachemshtml.dll
2009-07-17 14:55 58,880 a------- c:windowssystem32dllcacheatl.dll
2009-07-17 14:55 58,880 a------- c:windowssystem32atl.dll
2009-07-13 10:08 286,720 a------- c:windowssystem32wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:windowssystem32dllcachewmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:windowssystem32dllcachewmp.dll
2009-07-10 09:42 1,315,328 a------- c:windowssystem32dllcachemsoe.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32wininet.dll
2009-07-03 13:09 915,456 a------- c:windowssystem32dllcachewininet.dll
2009-07-03 13:09 12,800 -------- c:windowssystem32dllcachexpshims.dll
2009-07-03 13:09 1,208,832 a------- c:windowssystem32dllcacheurlmon.dll
2009-07-03 13:09 206,848 a------- c:windowssystem32dllcacheoccache.dll
2009-07-03 13:09 594,432 -------- c:windowssystem32dllcachemsfeeds.dll
2009-07-03 13:09 55,296 -------- c:windowssystem32dllcachemsfeedsbs.dll
2009-07-03 13:09 25,600 a------- c:windowssystem32dllcachejsproxy.dll
2009-07-03 13:09 1,985,536 -------- c:windowssystem32dllcacheiertutil.dll
2009-07-03 13:09 184,320 a------- c:windowssystem32dllcacheiepeers.dll
2009-07-03 13:09 246,272 -------- c:windowssystem32dllcacheieproxy.dll
2009-07-03 13:09 386,048 a------- c:windowssystem32dllcacheiedkcs32.dll
2009-07-03 07:01 173,056 a------- c:windowssystem32dllcacheie4uinit.exe

============= FINISH: 18:24:40.90 ===============

These are 3 ofthe recent popups I have gotten.

hxxp://best-scanpc.net/win/?code=934

hxxp://www.pcsecurityshield.com/lp/shield-deluxe-27.aspx?trk=WTK&affid=508

hxxp://media2.tmlatn.com/images/defaults41/approved/404.html

Merged posts and deactivated links. ~ OB

Attached Files


Edited by Orange Blossom, 23 September 2009 - 10:37 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:56 PM

Posted 10 October 2009 - 10:22 AM

Hello mountain_angel

Welcome to Welcome to BleepingComputer :(
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users