Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with false Spyware Warning malware


  • This topic is locked This topic is locked
43 replies to this topic

#1 Coastwizard

Coastwizard

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 23 October 2009 - 08:31 PM

My computer is infected with a virus or spyware program that no anti-virus or anti-spyware program seems to be able to remove or detect. First a message box comes up that is titled: Message from Webpage. Then it says, Warning!!! Your system requires immediate anti-viruses scan! Total Security can perform fast and free virus and malicious software scan of your computer.

This is followed by a page that pretends to be scanning my computer. The heading says, "My computer Scanner - Microsoft Internet Explorer". It tells me, "Your private data is under attack!" "Your Computer is Infected!" and then goes on to pretend my computer is infected with 97 trojans, etc.

I have tried Ad-AwareAE, Spybot, Spyware Doctor, Malwarebytes Anti-Malware, WebrootSecurity (Trial), Avira-antivir, and Spyware Terminator. None of them have been able to locate and remove this virus.

Posted Image

Posted Image

PLEASE NOTE: I WAS UNABLE TO CREATE A ROOTREPEAL REPORT. EVERY TIME I CLICK ON "REPORT" "SCAN" I GET AN ERROR: "COULD NOT INITIALIZE DRIVER. PLEASE CONTACT THE AUTHOR."

HERE IS MY DOS.TXT FILE.

DDS (Ver_09-10-13.01) - NTFSx86
Run by Randy at 18:39:59.51 on Fri 10/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.128 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}

============== Running Processes ===============

F:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
F:\WINDOWS\system32\svchost -k DcomLaunch
F:\WINDOWS\system32\svchost -k rpcss
F:\WINDOWS\System32\svchost.exe -k netsvcs
F:\WINDOWS\system32\svchost.exe -k NetworkService
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\RTHDCPL.EXE
C:\USBStorage\USBDetector.exe
F:\WINDOWS\system32\igfxtray.exe
F:\WINDOWS\system32\igfxpers.exe
F:\Program Files\Search Settings\SearchSettings.exe
F:\Program Files\QuickTime\qttask.exe
F:\WINDOWS\system32\svchost.exe -k LocalService
F:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\system32\ntvdm.exe
F:\Program Files\PhotoFiltre\PhotoFiltre.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
F:\WINDOWS\system32\wbem\wmiprvse.exe
F:\Program Files\Spyware Doctor\TFEngine\TFService.exe
F:\WINDOWS\System32\alg.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\PROGRA~1\Webroot\WEBROO~1\Cleanup\WASHEN~1.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Outlook Express\msimn.exe
F:\Program Files\Spyware Doctor\pctsAuxs.exe
F:\Program Files\Spyware Doctor\pctsSvc.exe
F:\Program Files\Spyware Doctor\pctsTray.exe
F:\Documents and Settings\Randy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/advanced_search?hl=en
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.alltheweb.com/advanced?advanced=1&&q=
uWindow Title = Microsoft Internet Explorer
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - f:\program files\search settings\kb128\SearchSettings.dll
BHO: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - f:\program files\dealio toolbar\DealioToolbarIE.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - f:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - f:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {9F8D6D43-987F-4B45-9823-7371731F0598} - No File
BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - f:\program files\search settings\kb128\SearchSettings.dll
TB: Dealio Toolbar: {01398b87-61af-4ffb-9ab5-1a1c5fb39a9c} - f:\program files\dealio toolbar\DealioToolbarIE.dll
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [Uniblue SpeedUpMyPC] "f:\program files\uniblue\speedupmypc 3\SpeedUpMyPC.exe" -s
uRun: [ctfmon.exe] "f:\windows\system32\ctfmon.exe"
uRun: [Uniblue RegistryBooster 2009] f:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [Microsoft Works Update Detection] f:\program files\microsoft works\WkDetect.exe
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [High Definition Audio Property Page Shortcut] "HDAShCut.exe"
mRun: [USBDetector] "c:\usbstorage\USBDetector.exe"
mRun: [igfxtray] "f:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "f:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "f:\windows\system32\igfxpers.exe"
mRun: [SearchSettings] "f:\program files\search settings\SearchSettings.exe"
mRun: [QuickTime Task] "f:\program files\quicktime\qttask.exe" -atboottime
mRun: [SpySweeper] "f:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
mRun: [ISTray] "f:\program files\spyware doctor\pctsTray.exe"
StartupFolder: f:\docume~1\randy\startm~1\programs\startup\iexplore.lnk - f:\program files\internet explorer\iexplore.exe
StartupFolder: f:\docume~1\randy\startm~1\programs\startup\msimn.lnk - c:\program files\outlook express\msimn.exe
StartupFolder: f:\docume~1\randy\startm~1\programs\startup\shortc~1.lnk - c:\amipro\AMIPRO.EXE
StartupFolder: f:\docume~1\randy\startm~1\programs\startup\shortc~2.lnk - f:\program files\photofiltre\PhotoFiltre.exe
StartupFolder: f:\docume~1\randy\startm~1\programs\startup\window~1.lnk - f:\windows\explorer.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - f:\program files\java\jre1.6.0_07\bin\ssv.dll
LSP: f:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: west.com
Trusted Zone: westathome.com
Trusted Zone: westathome.net
Trusted Zone: westathome.net\www
Trusted Zone: workathomeagent.net
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://www.charter.net/files/charter/securitysuite/fscax.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://livenj02.custhelp.com/8102-b424h/rnl/java/RntX.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - f:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
Notify: opnkkjh - opnkkjh.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [2009-7-27 206256]
R0 ssfs0bbc;ssfs0bbc;f:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R0 TfFsMon;TfFsMon;f:\windows\system32\drivers\TfFsMon.sys [2009-7-28 51488]
R0 TfSysMon;TfSysMon;f:\windows\system32\drivers\TfSysMon.sys [2009-7-28 39200]
R1 pctgntdi;pctgntdi;f:\windows\system32\drivers\pctgntdi.sys [2009-7-27 159600]
R1 prcmondrv;prcmondrv;f:\windows\system32\drivers\prcmondrv1041.sys [2007-8-21 18432]
R1 pwipf6;pwipf6;f:\windows\system32\drivers\pwipf6.sys [2009-10-23 108296]
R2 sdAuxService;PC Tools Auxiliary Service;f:\program files\spyware doctor\pctsAuxs.exe [2009-7-27 348752]
R3 pctplsg;pctplsg;f:\windows\system32\drivers\pctplsg.sys [2009-7-27 64392]
R3 TfNetMon;TfNetMon;f:\windows\system32\drivers\TfNetMon.sys [2009-7-28 33056]
R3 ThreatFire;ThreatFire;f:\program files\spyware doctor\tfengine\tfservice.exe service --> f:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 BW2NDIS5;BW2NDIS5; [x]
S3 getPlus® Helper;getPlus® Helper;f:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-13 31592]
S3 scsiscan;SCSI Scanner Driver;f:\windows\system32\drivers\scsiscan.sys [2007-6-30 11520]
S3 Slnt7554;USB Soft Modem Driver;f:\windows\system32\drivers\slnt7554.sys [2007-3-3 129535]

=============== Created Last 30 ================

2009-10-23 16:58 <DIR> --d----- f:\program files\Trend Micro
2009-10-23 13:58 <DIR> --d----- f:\program files\MSSOAP
2009-10-23 13:58 108,296 a------- f:\windows\system32\drivers\pwipf6.sys
2009-10-23 13:57 1,563,008 a------- f:\windows\WRSetup.dll
2009-10-23 13:56 <DIR> --d----- f:\docume~1\randy\applic~1\Webroot
2009-10-23 13:56 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Webroot
2009-10-23 13:56 <DIR> --d----- f:\program files\Webroot
2009-10-23 13:56 164 a------- f:\windows\install.dat
2009-10-23 11:37 54,156 a---h--- f:\windows\QTFont.qfn
2009-10-23 11:37 1,409 a------- f:\windows\QTFont.for

==================== Find3M ====================

2009-09-20 15:43 81,736 a------- f:\windows\system32\lmdimon8.dll
2009-09-11 09:18 136,192 a------- f:\windows\system32\msv1_0.dll
2009-09-04 16:03 58,880 a------- f:\windows\system32\msasn1.dll
2009-09-01 07:35 206,256 a------- f:\windows\system32\drivers\PCTCore.sys
2009-09-01 07:35 7,396 a------- f:\windows\system32\drivers\pctcore.cat
2009-08-29 03:08 916,480 a------- f:\windows\system32\wininet.dll
2009-08-26 03:00 247,326 a------- f:\windows\system32\strmdll.dll
2009-08-20 15:09 1,193,832 a------- f:\windows\system32\FM20.DLL
2009-08-06 19:23 274,288 a------- f:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- f:\windows\system32\muweb.dll
2009-08-05 04:01 204,800 a------- f:\windows\system32\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- f:\windows\system32\ntoskrnl.exe
2009-08-04 09:20 2,066,048 a------- f:\windows\system32\ntkrnlpa.exe
2009-08-02 07:37 162,348 a------- f:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-07-30 10:22 173,344 a------- f:\docume~1\randy\applic~1\GDIPFONTCACHEV1.DAT
2009-03-26 19:34 9,810,664 a------- f:\program files\FLV PlayerRCATSetup.exe

============= FINISH: 18:42:57.90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 23 October 2009 - 09:22 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

==========

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Webroot or Spyware Doc.

==========

The following is referring to Uniblue Registry Booster.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

==========

:( P2P Warning :(

Your log indicates that you have Limewire installed.

Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

- They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

- Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

- The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall Limewire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel>> Add / Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

With your next post please provide:

* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 24 October 2009 - 05:38 AM

Here is my ComboFix log file as requested. Thanks in advance for your help!

ComboFix 09-10-22.01 - Randy 10/24/2009 0:34.1.1 - NTFSx86
Running from: f:\documents and settings\Randy\Desktop\thcbytes.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Webroot Internet Security Essentials *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
FW: Webroot Internet Security Essentials *disabled* {63671000-11A2-46DD-BADD-A084CABCDEAE}
.
ADS - system32: deleted 206 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\program files\Dealio Toolbar
f:\program files\Dealio Toolbar\config.ini
f:\program files\Dealio Toolbar\DealioToolbarIE.dll
f:\program files\Dealio Toolbar\Res\amazon.gif
f:\program files\Dealio Toolbar\Res\apple.gif
f:\program files\Dealio Toolbar\Res\barnes.gif
f:\program files\Dealio Toolbar\Res\bestbuy.gif
f:\program files\Dealio Toolbar\Res\dealio_logo.gif
f:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
f:\program files\Dealio Toolbar\Res\ebay.gif
f:\program files\Dealio Toolbar\Res\icon_settings.gif
f:\program files\Dealio Toolbar\Res\macys.gif
f:\program files\Dealio Toolbar\Res\newegg.gif
f:\program files\Dealio Toolbar\Res\overstock.gif
f:\program files\Dealio Toolbar\Res\search-button-hover.gif
f:\program files\Dealio Toolbar\Res\search-button.gif
f:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
f:\program files\Dealio Toolbar\Res\search-chevron.gif
f:\program files\Dealio Toolbar\Res\search_amazon.gif
f:\program files\Dealio Toolbar\Res\search_dealio.gif
f:\program files\Dealio Toolbar\Res\search_ebay.gif
f:\program files\Dealio Toolbar\Res\search_yahoo.gif
f:\program files\Dealio Toolbar\Res\separator.gif
f:\program files\Dealio Toolbar\Res\target.gif
f:\program files\Dealio Toolbar\Res\walmart.gif
f:\program files\Dealio Toolbar\Res\widgets.xml
f:\program files\Dealio Toolbar\SearchSettingsKit.exe
f:\program files\Dealio Toolbar\WidgiHelper.exe
f:\program files\Internet Explorer\msimg32.dll
f:\program files\Search Settings
f:\program files\Search Settings\kb128\SeARchsettings.dll
f:\program files\Search Settings\kb128\SearchSettingsRes409.dll
f:\program files\Search Settings\SearchSettings.exe
f:\recycler\NPROTECT
f:\windows\system32\drivers\etc\lmhosts
f:\windows\system32\eventmgr.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-24 to 2009-10-24 )))))))))))))))))))))))))))))))
.

2009-10-24 02:06 . 2009-10-24 02:06 0 ----a-w- f:\windows\nsreg.dat
2009-10-24 02:06 . 2009-10-24 02:06 -------- d-----w- f:\documents and settings\Randy\Local Settings\Application Data\Mozilla
2009-10-24 01:18 . 2009-10-24 01:18 -------- d-----w- f:\documents and settings\Randy\Local Settings\Application Data\Runscanner.net
2009-10-23 21:58 . 2009-10-23 21:58 -------- d-----w- f:\program files\Trend Micro
2009-10-23 18:58 . 2009-10-23 18:58 -------- d-----w- f:\program files\MSSOAP
2009-10-23 18:56 . 2009-10-24 05:16 -------- d-----w- f:\documents and settings\Randy\Application Data\Webroot
2009-10-23 18:56 . 2009-10-23 18:56 -------- d-----w- f:\program files\Webroot
2009-10-23 18:56 . 2009-10-23 18:56 164 ----a-w- f:\windows\install.dat
2009-09-29 02:48 . 2009-10-21 02:23 466328 ----a-w- f:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 05:29 . 2008-12-22 03:34 -------- d---a-w- f:\documents and settings\All Users\Application Data\TEMP
2009-10-24 05:29 . 2009-07-27 19:15 -------- d-----w- f:\program files\Spyware Doctor
2009-10-24 04:50 . 2007-03-05 03:06 -------- d-----w- f:\program files\LimeWire
2009-10-16 14:32 . 2009-08-06 14:14 -------- d-----w- f:\program files\CodeStuff
2009-10-05 11:57 . 2009-09-15 23:04 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2009-09-25 13:08 . 2009-06-25 18:38 -------- d-----w- f:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 13:07 . 2009-09-04 08:56 -------- d-----w- f:\program files\Spybot - Search & Destroy
2009-09-20 20:43 . 2009-01-03 05:28 81736 ----a-w- f:\windows\system32\lmdimon8.dll
2009-09-16 22:38 . 2009-05-17 21:28 -------- d-----w- f:\program files\Replay Video Capture
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- f:\windows\system32\msv1_0.dll
2009-09-10 04:28 . 2009-03-27 23:11 -------- d-----w- f:\program files\Microsoft Silverlight
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- f:\windows\system32\msasn1.dll
2009-09-01 12:35 . 2009-09-01 12:35 7396 ----a-w- f:\windows\system32\drivers\pctcore.cat
2009-09-01 12:35 . 2009-07-27 19:15 206256 ----a-w- f:\windows\system32\drivers\PCTCore.sys
2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- f:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- f:\windows\system32\FM20.DLL
2009-08-07 00:24 . 2007-03-04 00:23 327896 ----a-w- f:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2007-03-04 00:23 209632 ----a-w- f:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2007-03-04 00:23 35552 ----a-w- f:\windows\system32\wups.dll
2009-08-07 00:24 . 2005-05-26 11:16 44768 ----a-w- f:\windows\system32\wups2.dll
2009-08-07 00:24 . 2007-03-04 00:23 53472 ----a-w- f:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2006-02-28 12:00 96480 ----a-w- f:\windows\system32\cdm.dll
2009-08-07 00:23 . 2007-03-04 00:23 575704 ----a-w- f:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-03-28 03:05 215920 ----a-w- f:\windows\system32\muweb.dll
2009-08-07 00:23 . 2009-03-28 03:05 274288 ----a-w- f:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2007-03-04 00:23 1929952 ----a-w- f:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- f:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 2006-02-28 12:00 2189184 ----a-w- f:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2066048 ----a-w- f:\windows\system32\ntkrnlpa.exe
2009-03-27 00:34 . 2009-03-27 00:33 9810664 ----a-w- f:\program files\FLV PlayerRCATSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue SpeedUpMyPC"="f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2008-04-02 9442584]
"Uniblue RegistryBooster 2009"="f:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [2008-08-26 2019624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"igfxtray"="f:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="f:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="f:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"QuickTime Task"="f:\program files\QuickTime\qttask.exe" [2007-03-04 282624]
"RTHDCPL"="RTHDCPL.EXE" - f:\windows\RTHDCPL.EXE [2005-06-29 14720000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - f:\windows\system32\HdAShCut.exe [2005-01-08 61952]

f:\documents and settings\Randy\Start Menu\Programs\Startup\
iexplore.lnk - f:\program files\Internet Explorer\iexplore.exe [2007-3-3 638816]
msimn.lnk - c:\program files\Outlook Express\msimn.exe [2007-3-2 60416]
Shortcut to AMIPRO.lnk - c:\amipro\AMIPRO.EXE [2007-3-3 1305664]
Shortcut to PhotoFiltre.lnk - f:\program files\PhotoFiltre\PhotoFiltre.exe [2007-1-7 2720768]
Windows Explorer.lnk - f:\windows\explorer.exe [2006-2-28 1033728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 99 (0x63)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
backup=f:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=f:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]
backup=f:\windows\pss\Office Startup.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"f:\\Program Files\\Messenger\\msmsgs.exe"=
"f:\\WINDOWS\\system32\\mshta.exe"=
"f:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"f:\\WINDOWS\\system32\\dplaysvr.exe"=
"f:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"f:\\Program Files\\MSN Messenger\\livecall.exe"=
"f:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"f:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

R0 PCTCore;PCTools KDS;f:\windows\system32\drivers\PCTCore.sys [7/27/2009 2:15 PM 206256]
R0 TfFsMon;TfFsMon;f:\windows\system32\drivers\TfFsMon.sys [7/28/2009 12:14 PM 51488]
R0 TfSysMon;TfSysMon;f:\windows\system32\drivers\TfSysMon.sys [7/28/2009 12:14 PM 39200]
R1 pctgntdi;pctgntdi;f:\windows\system32\drivers\pctgntdi.sys [7/27/2009 2:16 PM 159600]
R1 prcmondrv;prcmondrv;f:\windows\system32\drivers\prcmondrv1041.sys [8/21/2007 6:38 AM 18432]
R3 TfNetMon;TfNetMon;f:\windows\system32\drivers\TfNetMon.sys [7/28/2009 12:14 PM 33056]
S2 WRConsumerService;Webroot Client Service;"f:\program files\Webroot\WebrootSecurity\WRConsumerService.exe" --> f:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [?]
S3 BW2NDIS5;BW2NDIS5; [x]
S3 pctplsg;pctplsg;f:\windows\system32\drivers\pctplsg.sys [7/27/2009 2:15 PM 64392]
S3 scsiscan;SCSI Scanner Driver;f:\windows\system32\drivers\scsiscan.sys [6/30/2007 8:54 PM 11520]
S3 sdAuxService;PC Tools Auxiliary Service;f:\program files\Spyware Doctor\pctsAuxs.exe [7/27/2009 2:15 PM 348752]
S3 Slnt7554;USB Soft Modem Driver;f:\windows\system32\drivers\slnt7554.sys [3/3/2007 9:26 PM 129535]
S3 ThreatFire;ThreatFire;f:\program files\Spyware Doctor\TFEngine\TFService.exe service --> f:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 f:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-06-21 14:50]

2007-10-19 f:\windows\Tasks\Uniblue SpeedUpMyPC.job
- f:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-06-21 14:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
LSP: f:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: west.com
Trusted Zone: westathome.com
Trusted Zone: westathome.net
Trusted Zone: westathome.net\www
Trusted Zone: workathomeagent.net
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
FF - ProfilePath - f:\documents and settings\Randy\Application Data\Mozilla\Firefox\Profiles\pi362pi4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - plugin: f:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - f:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - f:\program files\Dealio Toolbar\DealioToolbarIE.dll
BHO-{9F8D6D43-987F-4B45-9823-7371731F0598} - (no file)
Toolbar-{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} - f:\program files\Dealio Toolbar\DealioToolbarIE.dll
HKCU-Run-Microsoft Works Update Detection - f:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-SearchSettings - f:\program files\Search Settings\SearchSettings.exe
Notify-opnkkjh - opnkkjh.dll
AddRemove-Ocean Range - f:\program files\James Software\Ocean Range\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 00:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(592)
f:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-10-24 0:52
ComboFix-quarantined-files.txt 2009-10-24 05:51

Pre-Run: 10,049,848,320 bytes free
Post-Run: 10,295,747,072 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS.0="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\="Previous Operating System on C:"

- - End Of File - - 592113C7162A4DDD3F9FB60693DC9D17

#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 24 October 2009 - 08:24 AM

Good job. :(

Lets continue........

Which AV did you remove?
Did you uninstall p2p and registry cleaner applications?

==========

Please download Posted Image by OldTimer to your desktop from here.
  • Open the file and close any other windows.
  • It will close all programs itself when run; make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job.
  • After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
==========

:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
==========

With your next post please provide:

* Answer to question
* Combofix log
* MBAM log
* ESET log
* How is your computer running now?

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 24 October 2009 - 03:00 PM

Hi! I uninstalled p2p (Limewire) and temporarily disabled Registry Booster. I would be willing to uninstall Registry Booster, but I have a question: Don't I need Registry Booster or a program like it to fix registry errors and keep my computer running smoothly?

Also, all the time I am following the steps and have my anti-spyware/anti-virus turned off, isn't my machine vulnerable to all kinds of other viruses, etc.?

Thanks again for all your help! My computer seems to be running much faster, and so far, no sign of the "Total Security" warning.


Malwarebytes' Anti-Malware 1.41
Database version: 3025
Windows 5.1.2600 Service Pack 3

10/24/2009 12:11:08 PM
mbam-log-2009-10-24 (12-11-08).txt

Scan type: Quick Scan
Objects scanned: 123277
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#6 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 24 October 2009 - 04:29 PM

Hi,

Don't I need Registry Booster or a program like it to fix registry errors and keep my computer running smoothly?

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.==========

Also, all the time I am following the steps and have my anti-spyware/anti-virus turned off, isn't my machine vulnerable to all kinds of other viruses, etc.?

If you have followed my directions thus far and only used the computer to visit the sites and download the programs I have recommended then you are not in danger. :( I will make recommendations in relation to prevention when you are clean.

==========

The Combofix log you attached was from the 1st run. I need c:/ComboFix2.txt

==========

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
==========

With your next post please provide:

* c:/ComboFix2.txt
* Bitdefender log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#7 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 24 October 2009 - 05:33 PM

I only see on file on my Desktop called "ComboFix". I don't see a file called "ComboFix2". I dragged the CFScript.txt file into the ComboFix file like you said to and there is no longer a CFScript file on the Desktop. Should I go back and go through the steps to create the CFScript file again and drag it into ComboFix again?

Also, should I delete Registry Booster right now while we are still working on the computer?

#8 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 24 October 2009 - 05:51 PM

One more thing...When I reactivated my Spyware Doctor after our last session, it found three items, one of which was called "Application.NirCmd" which it recommended I delete, so I did. Was this a mistake?

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 24 October 2009 - 08:12 PM

Hi there,

When I reactivated my Spyware Doctor after our last session, it found three items, one of which was called "Application.NirCmd" which it recommended I delete, so I did. Was this a mistake?

It deleted part of Combofix!! :) Lets keep your AV off for now please.

==========

Also.....

You need to make certain that you are not using 2 antivirus applications at the same time! Choose either Webroot or Spyware Doctor please.

==========

Do this....

Right click and delete Combofix from your desktop!!

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!


:( Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!! :(

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

Folder::
f:\program files\LimeWire


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

We need to create an OTL Quick Scan
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here
==========

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
==========

With your next post please provide:

* ComboFix.txt
* Bitdefender log
* OTL log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 25 October 2009 - 07:36 PM

Ok, here we go!

Since our last communication, I have...

* removed Mozilla Firefox
* completely disabled my AV
* deleted Webroot
* completely disabled Registry Booster
* did not find an OTL icon on my desktop, so I downloaded OTL from another site and ran the OTL Quick Scan

Hope I did everything right this time. Really appreciate your help!

Attached are the following:

* ComboFix.txt
* Bitdefender log
* OTL log
* BDOScan8

Attached Files



#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 25 October 2009 - 09:32 PM

Very well done :(
(Especially since I did not link you to one of the tools) :(

Lets continue........

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    SRV - File not found --  -- (WRConsumerService [Auto | Stopped])
    SRV - File not found --  -- (CLTNetCnService [Auto | Stopped])
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-21-1229272821-484763869-839522115-1004\..\Toolbar\ShellBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-21-1229272821-484763869-839522115-1004\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found.
    O3 - HKU\S-1-5-21-1229272821-484763869-839522115-1004\..\Toolbar\WebBrowser: (no name) - {C7768536-96F8-4001-B1A2-90EE21279187} - No CLSID value found.
    
    :Files
    F:\Documents and Settings\Randy\Application Data\Webroot
    F:\Program Files\Webroot
    F:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
    @F:\Documents and Settings\All Users\Application Data\TEMP:18E1FBFB
    @F:\Documents and Settings\All Users\Application Data\TEMP:1CA73D29
    @F:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
    
    :Reg
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1229272821-484763869-839522115-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-1229272821-484763869-839522115-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O18 - Protocol\Handler\ipp - No CLSID value found
    O18 - Protocol\Handler\msdaipp - No CLSID value found
    
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
==========

Turn you AV back on please.

==========

I had not noticed the Uniblue SpeedMyPC app before. It probably part of this........

Uniblue RegistryBooster 2
Uniblue RegistryBooster 2009

I would uninstall those.

==========

With your next post please provide:

* OTL fix log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 26 October 2009 - 06:38 AM

Ok...I messed up, and I wanted to let you know before we go any further. Please don't give up on me...I'm not usually this stupid.

I host several Web pages, and yesterday (forgetting my AV was turned off) I went on Google to access some material for one of those sites. All of a sudden, I found myself being attacked by the very virus I started this process to remove, only this time, without my AV, it just kept popping up as fast as I tried to exit it. Finally, after I turned my AV back on, it stopped, but I'm not sure what damage it might have done. So what do we do now?

Do I have to start all over from scratch? If so, I'm willing if you are, and I promise no more screw-ups!

Randy

#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 26 October 2009 - 02:40 PM

Oops. :(

I do this because I enjoy it.

Let's start over...

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

==========

Right click and delete your current copy of Combofix!

Download and Run ComboFix (by sUBs)

You must rename it before saving it.

Posted Image

Posted Image

Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* exehelper.txt
* Combofix.txt

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 Coastwizard

Coastwizard
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 AM

Posted 26 October 2009 - 08:07 PM

Here they are! No glitches this time, I hope! =)

Attached:

* exehelper.txt
* Combofix.txt

Attached Files



#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 AM

Posted 26 October 2009 - 10:01 PM

Hi,
I thought you said you uninstalled Webroot? Specifically explain what problems you are experiencing now?

==========

Please download MBR.exe from here ->
http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

==========
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<
==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* Answer to questions
* Mbr log
* RSIT info and log.txt
* Gmer log
* Copy & paste all logs unless I direct you otherwise.

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users