Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Swizzor /Tool.Prockill Infection


  • This topic is locked This topic is locked
97 replies to this topic

#1 steven

steven

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 04 November 2009 - 11:14 PM

Hello HJT team,
I started a topic in the forums and boopme graciously answered my questions. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/268997/im-infected-and-now-im-scared-reading-these-topics/ ~ OB After doing the following recommendations I have discovered I still have a problem / virus lurking on my laptop and boopme suggested that I post my problems in the HJT forum. Below is my topic starter explanation.
How do I know I have a problem? The . is reappearing in my address bar when typing in an address.

Hello BC, I'm back - again.
You would think that after being here a few years, I would be more adept at keeping bugs out of my work laptop.

I'm pretty sure I have a dialer / bug of some sort. (are the pop up ads here on BC new? They're the only ones I get!) I believe I have a dialer because when I'm not connected to the net, a dialog box keeps popping up wanting me to connect. It even disables my real wireless internet connection until I click "try again" on the dialog box.
I also have a . (period) left in my I.E. addy bar after deleting a site and entering a new site to go to. This was characteristic of FunWebSearch with my old 98 XP.

I have Spybot, A2Sq. Mbam, Adaware, AVG, SAS, ATF. (I have most of these because I like to run scans all the time.) All updated.

Now I'm really scared after reading some of the posts here. This is my online banking laptop and can't afford to have any bugs on this system.

Yesterday I ran scans in safe mode with SAS, MBAM, a2squared with nothing found.

I did as requested on the HJT page and the scan results are posted.
Thanks again so much for taking the time to help me out.

DDS scan:

DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 20:57:15.91 on Wed 11/04/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2045.847 [GMT -6:00]

AV: Trend Micro AntiVirus - Virus Protection *On-access scanning enabled* (Outdated) {9596F8E6-38C3-4C51-80B9-8C94D2E25B07}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Spy Sweeper *disabled* (Outdated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: Trend Micro AntiVirus - Spyware Protection *enabled* (Outdated) {7241C815-3D0F-4059-9AF4-BF225B1D78B9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ll.net/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_0
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [TOSHIBA Volume Indicator] "c:\program files\toshiba\utilities\VolControl.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [00TCrdMain] "c:\program files\toshiba\flashcards\TCrdMain.exe"
mRun: [Trend Micro AntiVirus 2007] "c:\program files\trend micro\antivirus 2007\tavui.exe" -1 --delay 200
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: %SYSTEMROOT%\system32\tmlsp.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
TCP: {78C77FCD-5EFB-4693-8D40-6369EC20392F} = 69.78.96.14 66.174.92.14
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
Notify: WRNotifier - WRLogonNTF.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-27 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-7-27 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-5 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-26 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-26 297752]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-27 36368]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-3-15 29744]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-11-03 22:02:52 0 d-----w- c:\users\owner\DoctorWeb
2009-10-28 03:53:25 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 03:53:23 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-21 01:57:11 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-21 01:56:22 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-21 01:56:09 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-21 01:56:09 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-14 05:49:38 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:47:31 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 05:47:31 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:43:38 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 05:43:17 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 05:43:15 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

==================== Find3M ====================

2009-11-03 21:37:54 3784 ----a-w- c:\windows\system32\tmp.reg
2009-11-03 16:16:12 13025 ----a-w- c:\users\owner\appdata\roaming\nvModes.dat
2009-10-01 15:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-10 19:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-23 05:53:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-18 04:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:53:34 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49:20 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49:18 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49:18 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49:15 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49:14 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49:14 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49:13 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48:02 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-05 22:37:27 51200 ----a-w- c:\windows\inf\infpub.dat
2009-08-05 22:37:27 143360 ----a-w- c:\windows\inf\infstor.dat
2009-08-05 22:37:26 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-08-05 22:27:02 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-09-28 18:36:28 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:59:17.48 ===============

Attached Files


Edited by Orange Blossom, 05 November 2009 - 12:11 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 09 November 2009 - 07:52 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 09 November 2009 - 11:07 PM

Hello Mole,
Nice to meet you.
I thought I'd edit my reply because my earlier reply made me sound like I was out there, which I probably was due to the hour and that I had little sleep the last two days.
FYI, I drive a semi for a living and I'm not always in aircard friendly areas. I will try to be as prompt as possible in replying to your posts, and sometimes downloading stuff may have to wait a day or two.
You don't have to worry about me not following your instructions. I tried to dissenfect a $3500 desktop on my own reading the boards here. All I did was manage to completely ruin the system.

Thanks for your help,
Steven

Edited by steven, 10 November 2009 - 01:30 PM.


#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 10 November 2009 - 04:37 PM

Hi steven,

There's nothing showing up in any of the logs.

Funweb would be easy to spot and the symptoms you are telling me about aren't really malware related.


What I would do on your PC is this:


The first thing to do is to remove Desktop Dialer - this may be starting on boot and if you are not using dial-up it can go

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Desktop Dialer

Additional instructions can be found here if needed.


After that there are some further things to deal with

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Trend Micro or AVG.


Stay away from P2P

The log shows that you have been using so called peer-to-peer or file-sharing programmes (in your case Limewire). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come a long way and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of their malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."


Then

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Let me know how those steps go.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 10 November 2009 - 06:49 PM

Good Evening Mole,

I uninstalled Desktop Dialer, Trend Micro, Limewire, and all Java. Reinstalled the newest Java version.

I think my daughter installed Limewire years ago. I have never accessed the thing. I am very aware of p2p stuff, and I'm computer illiterate, so I'm very cautious about clicking on stuff. (apparently not cautious enough.) My Trend Micro expired awhile back. That's why I have AVG. It was reccomended on BC!

I'm pretty sure there's something on my system. The dial up pop up box returns every so often and when I was browsing the net using the address bar yesterday, I kept getting directed to odd looking search pages.

When I followed boopme's directions everything was fine until my system just started acting up again. At first my net speed was fast, and the . icon was gone from the addy bar. Then after clicking through a few pages, my screen froze up, system had a little hiccup, and my net speed slowed down and the . icon was back in the addy bar, as it is now!
I never did reset the system restore becuase boopme sent me to HJT, thinking I had a rootkit. Is it possible I have a brand new version of a rootkit?

Have a Great Evening, and thanks again for your time on this matter.
Steven

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 10 November 2009 - 06:59 PM

Okay, the redirects may be indicating something like a trojan/backdoor or a rootkit but there's nothing showing.


I can see that the problem returns after a reboot and this happens over and over with different tools so let's run a powerful tool and see what it can find. This may be an infected or false system file.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 10 November 2009 - 08:35 PM

Hi Mole,
The links to download Combo fix aren't a go. The bc link doesn't work, The Foro link is in Spanish and I don't read Spanish. The Geek site no longer hosts the combo fix file and their mirrors lead me back to the spanish page, and the BC link which is also broken.

I'll await futher instructions.

Steven

#8 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 November 2009 - 12:06 AM

Hello Mole,

Just a quick update. I think I was able to download + save combofix to my desktop.
I haven't run anything yet because I'm wary of the download. It just didn't seem to feel right. I downloaded it from another topic on BC.
http://www.bleepingcomputer.com/forums/t/268745/unknown-malwarevirus-wont-let-any-anti-viruswindows-defendermalware-removal-progran-to-complete-scans/

The download was nearly instant and when I went to rename to file, I deleted the listed name and there was the . in the blank box. I deleted the . and put in the file name you said to put in there. This is the 1st time I have noticed the . in place of an empty space.

I'll wait for further instructions on this matter.

Steven

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 11 November 2009 - 07:43 AM

Combofix was taken offline for a few hours which is why the links failed.

The link you did use was okay so please go ahead and install and run Combofix. :(
Posted Image
m0le is a proud member of UNITE

#10 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 November 2009 - 11:36 AM

Hi mole,

At the risk of sounding stupid, how do I disable AVG. I right clicked the Icon from the system tray, but ComboFix says it's still active.

#11 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 11 November 2009 - 12:37 PM

Mole, I managed to disable AVG I thought, but ComboFix is still telling me the AVG anti-virus is still active and I can't figure outhow to deactivate it.
Right clicking the icon from the system tray doesn't do anything that disables avg anti virus.

Edited by steven, 11 November 2009 - 01:13 PM.


#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 11 November 2009 - 04:12 PM

Hi steven,

Disabling AVG 8.5 instructions.

Please open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.

* Click on Open AVG Interface.
* Double click on Resident Shield
* Deselect the option to "Enable Resident Shield."
* Save changes, and exit the application.
* To re-enable AVG 8.5, please select "Enable Resident Shield" again.

If you did this then ignore the Combofix warning and run the program :(
Posted Image
m0le is a proud member of UNITE

#13 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 12 November 2009 - 01:02 AM

Ok. Did as you instructed and here's the log file, (I copied + pasted this. If this isn't what you need, please let me know.):


ComboFix 09-11-11.02 - Owner 11/11/2009 23:34.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1157 [GMT -6:00]
Running from: c:\users\Owner\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Spy Sweeper *disabled* (Outdated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1058593241-3688274376-1921213229-500
c:\$recycle.bin\S-1-5-21-2099917951-402325976-912811912-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-880890090-4210280240-1235237068-500
c:\programdata\ntuser.dat{618c209d-d33d-11db-90ca-001636631e1c}.TMContainer00000000000000000001.regtrans-ms
c:\programdata\ntuser.dat{618c20ad-d33d-11db-90ca-001636631e1c}.TMContainer00000000000000000001.regtrans-ms
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 05:46 . 2009-11-12 05:47 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-11-12 05:46 . 2009-11-12 05:46 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-12 05:46 . 2009-11-12 05:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-12 05:46 . 2009-11-12 05:46 -------- d-----w- c:\users\bestbuy\AppData\Local\temp
2009-11-10 20:13 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 20:13 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-03 22:02 . 2009-11-03 22:30 -------- d-----w- c:\users\Owner\DoctorWeb
2009-10-29 20:56 . 2009-11-04 02:12 -------- d-----w- c:\users\Owner\AppData\Local\Adobe
2009-10-28 03:53 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 03:53 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-21 15:12 . 2009-10-21 14:17 2064152 ----a-w- c:\programdata\avg8\update\backup\avgcorex.dll
2009-10-21 15:12 . 2009-10-21 14:17 2025752 ----a-w- c:\programdata\avg8\update\backup\avgtray.exe
2009-10-21 01:57 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-21 01:57 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-21 01:57 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-21 01:57 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-21 01:56 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-21 01:56 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-21 01:56 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-21 01:56 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-21 01:56 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-16 17:19 . 2009-10-16 17:19 17632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\WSCUpdate.dll
2009-10-16 17:18 . 2009-10-16 17:18 3695616 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-10-14 05:49 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 05:47 . 2009-08-04 12:34 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-14 05:47 . 2009-08-04 12:34 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-14 05:43 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 05:43 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 05:43 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 05:07 . 2007-07-27 17:13 13025 ----a-w- c:\users\Owner\AppData\Roaming\nvModes.dat
2009-11-11 01:13 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 00:19 . 2007-03-20 05:28 8192 d-----w- c:\programdata\Microsoft Help
2009-11-10 23:15 . 2009-05-25 23:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-10 23:15 . 2007-03-15 22:27 4096 d-----w- c:\program files\Java
2009-11-10 22:04 . 2007-07-27 17:07 4096 d-----w- c:\program files\Trend Micro
2009-11-10 22:04 . 2007-07-27 17:12 -------- d-----w- c:\programdata\Trend Micro
2009-11-09 21:12 . 2009-05-25 23:17 1 ----a-w- c:\users\Owner\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-09 19:45 . 2008-08-11 23:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-05 00:34 . 2009-04-12 05:41 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-04 02:31 . 2007-07-29 16:12 1356 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2009-11-03 02:42 . 2009-10-05 15:35 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-16 17:56 . 2008-12-04 17:52 12288 d-----w- c:\program files\a-squared Free
2009-10-16 17:18 . 2009-06-26 00:00 562552 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-10-16 17:18 . 2009-06-26 00:00 566632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-10-16 17:18 . 2009-06-26 00:00 2353992 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-10-16 17:18 . 2009-06-26 00:00 640760 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-10-16 17:18 . 2009-06-25 23:59 520024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-10-16 17:18 . 2009-06-25 23:59 1028432 ----a-w- c:\programdata\Lavasoft\Ad-Aware\update\AAWService.exe
2009-10-16 16:42 . 2008-06-05 02:44 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-10-14 08:05 . 2007-03-20 05:25 24576 d-----w- c:\program files\Microsoft Works
2009-10-12 03:12 . 2009-10-12 03:12 746760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-09-18 16:14 . 2007-08-22 22:54 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-17 22:49 . 2009-09-17 22:49 -------- d-----w- c:\users\Owner\AppData\Roaming\Uniblue
2009-09-14 22:30 . 2008-06-05 02:18 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-14 22:29 . 2008-06-25 20:26 4045528 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-14 22:14 . 2007-08-22 22:54 12288 d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 20:29 . 2009-09-13 20:29 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbC42C.tmp.exe
2009-09-12 04:12 . 2009-09-12 04:12 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb6481.tmp.exe
2009-09-11 13:07 . 2009-09-11 13:07 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8318.tmp.exe
2009-09-10 21:07 . 2009-09-10 21:07 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb96A5.tmp.exe
2009-09-10 19:54 . 2008-07-23 07:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-06-05 02:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 00:27 . 2009-09-04 23:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-04 23:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 05:45 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 05:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17 . 2009-10-14 05:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42 . 2009-10-14 05:45 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-23 05:53 . 2008-07-28 03:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 05:53 . 2008-07-28 03:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-23 05:53 . 2008-07-28 03:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 16:27 . 2009-09-08 22:19 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-08 22:19 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-08 22:19 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-08 22:19 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-08 22:19 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-08 22:19 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-08 22:19 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-08 22:19 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-08 22:19 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-08 22:19 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-08 22:19 105984 ----a-w- c:\windows\system32\netiohlp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 15:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-04 00:03 2854912 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-16 2000112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-27 815104]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TOSHIBA Volume Indicator"="c:\program files\Toshiba\Utilities\VolControl.exe" [2006-10-31 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-12 29744]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-09 2028312]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-12-19 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-12-19 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-12-19 81920]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-10-16 520024]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-10 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-10 21:09 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 23:50 90112 ----a-w- c:\windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Owner^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:de,09,38,50,1d,16,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [4/27/2009 18:02 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [7/27/2008 21:20 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/5/2009 17:47 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 09:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 09:33 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/26/2009 12:39 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/26/2009 12:39 297752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 09:33 7408]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 15:34 1028432]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/15/2007 16:39 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:18]

2009-11-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ll.net/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-{BDD83DC9-BEE9-4654-A5DA-CC46C250088D} - c:\program files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-11 23:47
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
Completion time: 2009-11-12 23:51
ComboFix-quarantined-files.txt 2009-11-12 05:51

Pre-Run: 137,273,065,472 bytes free
Post-Run: 136,854,974,464 bytes free

- - End Of File - - A494CCE3E5B4A862D7BB4CC6D64542E1

#14 steven

steven
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 12 November 2009 - 01:59 AM

Is it a common occurence to have all these dialog boxes popping up after a scan?

And, my internet history keeps deleting itself. and, the USB port warning keeps going off.


Should I reboot?

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:16 PM

Posted 12 November 2009 - 08:45 AM

Yes, please reboot the machine :(


On rebooting please run MBAM as below

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users