Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I believe Malware has afftected my computer


  • Please log in to reply
29 replies to this topic

#1 sportsvine

sportsvine

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 09 November 2009 - 10:53 AM

While doing research for a project, browser suddeny closed and a fake virus protection program automatically runs, and I have problems closing out this detection program and it forces me to download more viruses/malware.

DDStxt log

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/13/2008 6:26:49 AM
System Uptime: 11/8/2009 11:23:28 AM (16 hours ago)

Motherboard: ASUSTek Computer INC. | | IVY8
Processor: AMD Athlon™ Processor LE-1640 | Socket AM2 | 2700/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 224 GiB total, 168.905 GiB free.
D: is FIXED (NTFS) - 9 GiB total, 0.962 GiB free.
E: is CDROM ()
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: PS/2 Compatible Mouse
Device ID: ACPI\PNP0F13\4&309534F1&0
Manufacturer: Microsoft
Name: PS/2 Compatible Mouse
PNP Device ID: ACPI\PNP0F13\4&309534F1&0
Service: i8042prt

==== System Restore Points ===================

RP470: 10/28/2009 1:04:38 PM - Scheduled Checkpoint
RP471: 10/29/2009 11:14:23 AM - Windows Update
RP472: 10/29/2009 1:43:56 PM - Installed Microsoft Visual C++ 2005 Redistributable
RP473: 10/30/2009 2:24:45 PM - Scheduled Checkpoint
RP474: 10/31/2009 7:50:03 AM - Windows Update
RP475: 11/1/2009 6:03:37 PM - Scheduled Checkpoint
RP476: 11/2/2009 2:33:36 PM - Windows Update
RP477: 11/3/2009 5:41:48 PM - Windows Update
RP478: 11/4/2009 1:48:38 PM - Scheduled Checkpoint
RP479: 11/4/2009 1:53:40 PM - Windows Update
RP480: 11/5/2009 10:41:02 PM - Scheduled Checkpoint
RP481: 11/6/2009 5:04:10 PM - Windows Update
RP482: 11/7/2009 2:18:43 PM - Scheduled Checkpoint
RP483: 11/8/2009 7:09:56 PM - Windows Backup
RP484: 11/9/2009 3:01:45 AM - Windows Backup

==== Installed Programs ======================

Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.5
AIM 6
Aim Plugin for QQ Games
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Cards_Calendar_OrderGift_DoMorePlugout
Choice Guard
Compaq Demo
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
EPSON Easy Photo Print
EPSON NX200 User's Guide
EPSON Scan
EPSON Stylus NX200 Series Printer Uninstall
FileZilla Client 3.2.8.1
Google Chrome
Google Earth
Google Update Helper
Google Updater
Hardware Diagnostic Tools
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Experience Enhancements
HP Customer Feedback
HP Easy Setup - Frontend
HP Games
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.5
HP Total Care Advisor
HP Update
HPPhotoSmartPhotobookWebPack1
Inspiration 8
Java™ 6 Update 15
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LabelPrint
LightScribe System Software
LightScribeTemplateLabeler
Malwarebytes' Anti-Malware
MathPlayer
McAfee SiteAdvisor
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Move Media Player
Mozilla Firefox (3.5.5)
MSVCRT
muvee autoProducer 6.1
NVIDIA Drivers
OpenOffice.org 3.0
Power2Go
PowerDirector
PSSWCORE
Python 2.5
QQ Games
QQ Pool
QQ Treasure Hunter
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
SkyGazer 4
Soft Data Fax Modem with SmartCP
Sophos Anti-Rootkit 1.5.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
The Weather Channel Desktop 6
The Weather Channel Toolbar
UltimateBet
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB974810)
VideoToolkit01
Viewpoint Media Player
WeatherBug Gadget
WildGames
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Live Writer
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

11/8/2009 11:24:01 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

==== End Of File ===========================

I try to download rootrepeal, but my computer gives me a blue screen error, and crashes.

I run sophos anti-rootkit as an alternative and it found 5 unknown hidden files but did not recommend removing them. Here is a copy and paste of each.

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Shelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EEWOS4V1\%2FAdId%3D479068%3BBnId%3D1%3Bitime%3D828362209%3Bkvmn%3D93243969%3Bkvtid%3D14kjkr80ujm2rv%3Bkvseg%3D99999%3A60060%3Bnodecode%3Dyes%3Blink%3D;ord=828362209[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X6NJA1BJ\te_WS;MN=93233937;u=r49cadf55687e7011;wm=o;rm=1;!c=HPC;!c=d-gif;!c=d-jpg;!c=d-imrd;!c=d-fls;!c=d-jav;!c=d-dxp;!c=d-pxp;sz=61x21;tile=4;dcove=d;ord=201180391[1]
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Shelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EEWOS4V1\0256;ab=35;gb=nil;hb=nil;gc=US;gs=nil;gd=nil;tods=nil;tode=nil;tf=1;tp=10;dow=nil;atf=nil;cg=30;af=10;il=2970;sz=728x90;tile=1;u=il-2970;ord=8370672750[1].htm
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Users\Shelly\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\E39SCTQS\256;ab=35;gb=nil;hb=nil;gc=US;gs=nil;gd=nil;tods=nil;tode=nil;tf=1;tp=10;dow=nil;atf=nil;cg=30;af=10;il=2971;sz=300x250;tile=2;u=il-2971;ord=7071217358[1].htm
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Windows\System32\drivers\rootrepeal6.sys
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)


Also, I attached my dds.

Please help me I will be patient.

BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 15 November 2009 - 06:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Also, please subscribe to this topic, so you are notified when someone replies. Please continue to check manually on occasion, as every now and then the email may be caught by your spam filter.
To enable topic notifications you should do the following:
  • Click on the My Controls link at the top of the page to enter your control panel.
  • Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
  • Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
  • Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied.
Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 15 November 2009 - 08:43 PM

Here is a copy and paste of the DDS file, and attached is the DDS attachment


DDS (Ver_09-10-26.01) - NTFSx86
Run by chrismichelle at 18:34:00.44 on Sun 11/15/2009
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1918.926 [GMT -7:00]

AV: Active Security *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\LEXBCES.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\chrismichelle\Downloads\dds(2).scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://www.yahoo.com/
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: TwcToolbarBhoApp Class: {aa1f9ddb-e605-4ba6-81d4-e427dee012ad} - c:\windows\system32\TwcToolbarBho.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:\windows\system32\TwcToolbarIe7.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [EPSON Stylus NX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefa.exe /fu "c:\users\chrism~1\appdata\local\temp\E_S1841.tmp" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [Lexmark 1200 Series] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\programdata\microsoft\windows\start menu\programs\ultimatebet\UltimateBet.lnk
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer\MathMLMimer.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\chrism~1\appdata\roaming\mozilla\firefox\profiles\kbp8z2g3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.chadrad.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\users\chrismichelle\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-3 108289]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-27 210216]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-11 24652]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 gupdate1c95c1262cb9670;Google Update Service (gupdate1c95c1262cb9670);c:\program files\google\update\GoogleUpdate.exe [2008-12-11 133104]
S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-10-26 34816]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\drivers\rootrepeal2.sys [2009-10-26 34816]
S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [2009-10-26 34816]
S3 rootrepeal5;rootrepeal5;c:\windows\system32\drivers\rootrepeal5.sys [2009-10-26 34816]
S4 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-3-20 131616]

=============== Created Last 30 ================

2009-11-13 00:29:06 0 d---a-w- c:\programdata\TEMP
2009-11-13 00:28:28 0 d-----w- c:\program files\ETS
2009-11-13 00:26:12 0 d-----w- c:\users\chrism~1\appdata\roaming\GetRightToGo
2009-11-10 21:06:02 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 21:05:54 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-09 10:21:33 251953100 ----a-w- c:\windows\MEMORY.DMP
2009-11-09 10:20:16 34816 ----a-w- c:\windows\system32\drivers\rootrepeal6.sys
2009-11-04 00:02:46 0 d-----w- c:\windows\system32\eu-ES
2009-11-04 00:02:46 0 d-----w- c:\windows\system32\ca-ES
2009-11-04 00:02:42 0 d-----w- c:\windows\system32\vi-VN
2009-11-02 01:28:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 01:28:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 01:28:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-29 19:44:41 98304 ----a-w- c:\windows\system32\TwcToolbarBho.dll
2009-10-29 19:44:41 89088 ----a-w- c:\windows\system32\atl71.dll
2009-10-29 19:44:41 331776 ----a-w- c:\windows\system32\TwcToolbarIe7.dll
2009-10-29 19:44:41 25600 ----a-w- c:\windows\system32\TwcToolInstDll.dll
2009-10-29 19:43:54 0 d-----w- c:\program files\The Weather Channel Toolbar
2009-10-29 19:42:21 0 d-----w- c:\program files\The Weather Channel FW
2009-10-28 03:08:03 0 d-----w- c:\program files\common files\McAfee
2009-10-28 03:07:57 0 d-----w- c:\program files\McAfee
2009-10-28 02:14:40 0 d-----w- c:\programdata\SiteAdvisor
2009-10-28 02:14:00 0 d-----w- c:\programdata\McAfee
2009-10-27 17:23:01 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 17:23:00 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-27 17:16:29 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-27 17:16:07 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-27 17:16:00 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-27 17:16:00 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-27 05:08:13 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-10-27 05:08:12 270848 ----a-w- c:\windows\system32\schannel.dll
2009-10-27 03:11:47 0 d-----w- c:\program files\Sophos
2009-10-26 21:37:01 34816 ----a-w- c:\windows\system32\drivers\rootrepeal3.sys
2009-10-26 21:36:57 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-10-26 21:36:50 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-10-26 21:36:41 34816 ----a-w- c:\windows\system32\drivers\rootrepeal5.sys
2009-10-26 00:45:07 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2009-10-26 00:44:54 0 d-----w- c:\users\chrism~1\appdata\roaming\SUPERAntiSpyware.com
2009-10-26 00:44:54 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-26 00:44:01 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-25 21:24:18 0 d-----w- c:\program files\Trend Micro
2009-10-17 05:24:00 0 d-----w- c:\windows\system32\EventProviders

==================== Find3M ====================

2009-11-04 00:09:29 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-04 00:09:29 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-04 00:09:29 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-04 00:02:36 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-03 23:57:32 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-11-03 03:42:06 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 13:29:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 12:40:58 834048 ----a-w- c:\windows\system32\wininet.dll
2009-08-18 05:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-08-05 18:53:20 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012009080520090806\index.dat

============= FINISH: 18:35:36.29 ===============

Attached Files



#4 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 15 November 2009 - 08:50 PM

Also, I will add that the fake virus protection that will automatically run has done this a couple more times since.

Each time this has happened, a progress bar would start and then almost immediately, it claims that I have numerous infected files. I try to close out of this scanner, but it prompts me to save the file. I "x" out of that box and it tells me that by closing this box it will leave my computer unprotected. Then my real virus protection program, avira, would pop up and show an infected. I then move the infected file to quarantine and delete it. But this has happened repeatedly, so I think my computer remains infected.

Also, I am not real sure if this is related or not, but on my wife has been unable to access her college e-mail run through microsoft outlook. This started happening a couple days ago. She gets a password/username error message. My college e-mail works fine however.

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 18 November 2009 - 10:32 AM

Hello sportsvine :( Welcome to the BC HijackThis Log and Analysis forum. Sorry about your wait, but I will be assisting you in cleaning up your system from here on out.


I ask that you refrain from running tools other than those we suggest while we are performing the clean-up. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Posted Image
    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries





Please do not post any logs as an attachment unless asked to do so.





Thanks,



thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#6 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 November 2009 - 07:22 PM

I ran the GMER rootkit scanner and it scan my computer for awhile and just stopped. I wasn't sure if it stopped because it finished, or because something else was acting upon the scanner and forced it to stop. It did not give a confirmation that it finished stopping. It did register 5 entries and I have uploaded them.


Also, I would like to point out that this computer makes noises quite often. These noises are normally made when a program is trying to start up on the computer, such as when I insert a USB flash drive into the computer. Well, it makes this same noise randomly during other times, and this makes me believe that some programs are trying to start up on the computer without me starting them myself. Sometimes when I check the computer after hearing these noises, the computer doesn't have anything showing on the screen what is causing these noises.

Attached Files

  • Attached File  Gmer.txt   786bytes   5 downloads


#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 18 November 2009 - 09:40 PM

I really don't have a clue as to what the noises are especially when you don't describe what they sound like. :( Is it a clicking sound? Whirring?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 November 2009 - 09:53 PM

It's hard to explain, but I'll try. Whenever, I insert my USB flash drive, it makes double beep sound in quick succession, a low beep quickly followed by a high beep.

Well, the computer at random times has been making this same sound, for no reason. I will be in the other room, and will hear the sound, so I quickly go to the computer to investigate, and nothing is on the screen except for my desktop to indicate what caused this sound. The computer has never made this sound while I am actually working on the computer, only when I am away from it. Finally, the computer happened to make this sound earlier and my wife was in the room so she could see the computer immediately after it made this sound, and nothing was on the screen indicating what caused this sound.

Really strange, and certainly concerning.

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 18 November 2009 - 10:07 PM

That is strange and truthfully right now I don't know what is causing it but we can't rule out it is something to do with Malware.

I see that you have MalwareBytes on your computer and I am assuming you have ran it. If it found some things open it up and click on the Log tabs then copy and paste the latest log in there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 November 2009 - 10:09 PM

I ran MalwareBytes a couple of days ago, and it did not find anything. Want me to run it again?

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 18 November 2009 - 10:16 PM

No, let's go ahead and see if CF will run.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 18 November 2009 - 11:01 PM

Combo fix scan and uploaded. Thank you so much for your help and I wait for your reply!

Attached Files



#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 19 November 2009 - 10:26 AM

I am not seeing anymore signs of Malware on your machine. However I can't say whether what was taken off had anything to do with the noise you are hearing. Have you heard it anymore since you ran ComboFix?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 sportsvine

sportsvine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:01:24 PM

Posted 19 November 2009 - 02:43 PM

Did you see any malware on my computer before I ran ComboFix? Did ComboFix actually remove stuff from my computer? What about the GMER rootkit scanner, did that show any malware before I ran ComboFix?

And I haven't been on the computer all day, as I am in class. Right now I am on a computer at my college's computer lab, so I cant say for sure it's not making that random noise anymore or not. If it does make the noise again, I will post again.

What about my origional problem of a fake virus program starting up on its own (as described in messages 1 and 4 of this thread)? Do you think that was from a virus or malware, and do you think my computer has that bug out?

Thank you so much for your assisstance.

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:24 PM

Posted 19 November 2009 - 06:25 PM

While CF did remove a couple of things it really was not very much. I have a feeling your Avira may have taken most of the infection off before you got here but I don't know unless you can get to the logs on it and post a copy here. GMER didn't show any rootkits so that was ruled out.

Let me know about the noises although I don't see anything that could be causing it.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users