Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Deluged by Pop Ups


  • Please log in to reply
16 replies to this topic

#1 TriciaM808

TriciaM808

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 10 November 2009 - 03:33 PM

My computer is being overtaken by a multitude of pop-ups and I don't know how to get rid of them. I hope someone can help me to figure out how to get rid of them.

Before coming here I ran a quick scan with Malwarebytes and deleted those files but that didn't solve the popup problem. Here is the report ...

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/8/2009 8:08:47 AM
mbam-log-2009-11-08 (08-05-10).txt

Scan type: Quick Scan
Objects scanned: 145207
Time elapsed: 1 hour(s), 4 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.


I then ran a Malwarebytes complete system scan. I haven't done anything yet with the infected file.

Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 5.1.2600 Service Pack 3

11/9/2009 8:27:21 PM
mbam-log-2009-11-09 (20-27-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 285890
Time elapsed: 35 hour(s), 31 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Deidre Lynne\Local Settings\temp\trt.exe (Rootkit.TDSS) -> No action taken.


Here is the DDS text log as per above instructions ...


DDS (Ver_09-10-26.01) - NTFSx86
Run by Patricia And Douglas at 21:11:35.42 on Mon 11/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.36 [GMT -10:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Computer Stuff\BO CLEAN\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\vVX3000.exe
D:\COMPUT~1\BOCLEA~1\BOC427.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\Downloaded Itunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
D:\Computer Stuff\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Patricia And Douglas\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - d:\mi3fd3~1\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\patricia and douglas\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/P...00001A.000000B7
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [BOC-427] d:\comput~1\boclea~1\BOC427.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [QuickTime Task] "d:\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\downloaded itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\computer stuff\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: &ieSpell Options - d:\iespell_checker\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - d:\iespell_checker\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Lookup on Merriam Webster - file://d:\iespell_checker\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://d:\iespell_checker\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://d:\iespell_checker\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://d:\iespell_checker\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\mi3fd3~1\office11\REFIEBAR.DLL
Trusted Zone: amaena.com
Trusted Zone: kamisugi-ortho.com\www
Trusted Zone: turbotax.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1097451513281
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/webplayer/stage6/windows/AutoDLDivXWebPlayerInstaller.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://www.nick.com/common/groove/gx/GrooveAX27.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} - hxxp://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} - hxxps://www4.lsac.org/LSACD_XMLWebServices/Http/OIFActiveX/ofmctl.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} - hxxp://www.rockyou.com/RockYouImageUploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553550000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://master.svr01.thump.net/Scripts/Cache/PersitsActiveXUpload/XUpload.ocx
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 BCMNTIO;BCMNTIO;d:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-7-12 3744]
R2 BOCore;BOCore;d:\computer stuff\bo clean\BOCore.exe [2008-7-21 73464]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 MAPMEM;MAPMEM;d:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-7-12 3904]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-7-20 38224]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-10-14 07:13:20 0 dc----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-10-01 20:29:14 195440 -c----w- c:\windows\system32\MpSigStub.exe
2008-07-17 00:09:50 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071620080717\index.dat
2008-09-27 03:25:13 16384 -csha-w- c:\windows\temp\cookies\index.dat
2008-09-27 03:25:13 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2008-09-27 03:25:13 32768 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 21:12:24.60 ===============


I downloaded (twice) but couldn't get RootRepeal to run.

Thank you in advance for any assistance.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 16 November 2009 - 07:17 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay.

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image
m0le is a proud member of UNITE

#3 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 16 November 2009 - 08:06 PM

Thank you for your response. I am still having numerous pop ups on my daughters account.

As per my initial post, I downloaded RootRepeal twice and was unable to get it to run. I tried once more just now and it still won't run. The program downloades fine then stalls and freezes the computer at the Initializing, Please wait ... screen.

I'd appreciate any and all help with this. Thanks in advance.

I ran a Malywarebytes Full scan after my initial post (does anyone know why it takes this many hours to run?) and have the results posted here ...

Malwarebytes' Anti-Malware 1.41
Database version: 3128
Windows 5.1.2600 Service Pack 3

11/9/2009 8:27:21 PM
mbam-log-2009-11-09 (20-27-01).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 285890
Time elapsed: 35 hour(s), 31 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Deidre Lynne\Local Settings\temp\trt.exe (Rootkit.TDSS) -> No action taken.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 16 November 2009 - 08:15 PM

The TDSS rootkit found with MBAM is often part of a nastier package.


Let's run a program designed to find a specific rootkit

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#5 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 16 November 2009 - 08:42 PM

Thank You m0le!

Here it is ...

Running from: C:\Documents and Settings\Patricia And Douglas\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Patricia And Douglas\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\$NtUninstallKB824141$\user32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB824141$\user32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB824141$\win32k.sys

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB824141$\win32k.sys

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\hh.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\hh.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\html32.cnv

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\html32.cnv

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\itircl.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\itircl.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\itss.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\itss.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\locator.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\locator.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\magnify.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\magnify.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\narrator.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\narrator.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\newdev.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\newdev.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\ole32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\ole32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\shell32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\shell32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\srv.sys

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\srv.sys

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\user32.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\user32.dll

Cannot access: C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll

Cannot access: C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll

Cannot access: C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll

Cannot access: C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx

Cannot access: C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll

Attempting to restore permissions of : C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll



Finished!

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 16 November 2009 - 08:45 PM

The good news is that particular rootkit is not there.

Please run Combofix, so we can oust TDSS

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#7 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 16 November 2009 - 09:30 PM

m0le, Would it be safe to enable my anti-virus protection programs now that I have run ComboFix? Thanks.

ComboFix 09-11-17.01 - Patricia And Douglas 11/16/2009 16:01.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.193 [GMT -10:00]
Running from: c:\documents and settings\Patricia And Douglas\Desktop\comfix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\poPCaploader.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-08 05:29 . 2009-11-12 04:12 -------- dc----w- c:\documents and settings\Deidre Lynne\Local Settings\Application Data\ccirlg
2009-10-20 06:40 . 2009-10-20 06:40 -------- dc----w- c:\documents and settings\David\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-24 01:18 . 2009-07-07 01:51 -------- dc----w- c:\documents and settings\Deidre Lynne\Application Data\U3
2009-10-19 17:29 . 2008-07-30 21:38 4045528 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-13 03:23 . 2004-03-11 00:54 -------- dc----w- c:\documents and settings\Patricia And Douglas\Application Data\Sony Corporation
2009-10-13 03:18 . 2007-03-16 01:47 -------- dc----w- c:\documents and settings\Deidre Lynne\Application Data\Sony Corporation
2009-10-13 03:17 . 2003-12-02 20:40 -------- dc----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-10-01 20:29 . 2009-10-02 17:54 195440 -c----w- c:\windows\system32\MpSigStub.exe
2009-09-30 05:44 . 2008-02-01 05:34 184168 -c--a-w- c:\documents and settings\Deidre Lynne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 08:19 . 2009-06-20 09:25 -------- dc----w- c:\documents and settings\Patricia And Douglas\Application Data\U3
2009-09-24 22:45 . 2009-05-20 06:41 256 -c--a-w- c:\windows\system32\pool.bin
2009-09-11 00:54 . 2008-07-20 18:06 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-11 00:53 . 2008-07-20 18:06 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 22:46 . 2009-01-27 00:12 184168 -c--a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-07 09:21 . 2009-09-07 09:21 316088 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-24 19:24 . 2009-08-24 19:24 152576 -c--a-w- c:\documents and settings\Patricia And Douglas\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Patricia And Douglas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-08 133104]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-09 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-08-19 4841472]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"VX3000"="c:\windows\vVX3000.exe" [2006-10-14 707376]
"BOC-427"="d:\comput~1\BOCLEA~1\BOC427.exe" [2008-07-14 351480]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"QuickTime Task"="d:\quicktime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\downloaded itunes\iTunesHelper.exe" [2008-11-20 290088]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-06-26 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="d:\computer stuff\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-11 1312080]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-07-22 88361]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-05 28672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-14 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-3-11 108544]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-6-20 22486]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Patricia And Douglas^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=c:\documents and settings\Patricia And Douglas\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=c:\windows\pss\Cyber-shot Viewer Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Patricia And Douglas^Start Menu^Programs^Startup^Event Minder Reminders.lnk]
path=c:\documents and settings\Patricia And Douglas\Start Menu\Programs\Startup\Event Minder Reminders.lnk
backup=c:\windows\pss\Event Minder Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Patricia And Douglas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Patricia And Douglas\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Downloaded Itunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 9:04 AM 34312]
R2 BCMNTIO;BCMNTIO;d:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [7/12/2006 7:37 AM 3744]
R2 BOCore;BOCore;d:\computer stuff\BO CLEAN\BOCore.exe [7/21/2008 11:54 AM 73464]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/1/2008 9:02 AM 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MAPMEM;MAPMEM;d:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [7/12/2006 7:37 AM 3904]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2003-12-02 00:12]

2009-11-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1090749844-149777207-188667960-1005Core.job
- c:\documents and settings\Patricia And Douglas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-08 08:22]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1090749844-149777207-188667960-1005UA.job
- c:\documents and settings\Patricia And Douglas\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-08 08:22]

2009-10-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1090749844-149777207-188667960-1008Core.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 05:55]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1090749844-149777207-188667960-1008UA.job
- c:\documents and settings\David\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-16 05:55]

2009-11-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 05:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - d:\iespell_checker\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - d:\iespell_checker\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Lookup on Merriam Webster - file://d:\iespell_checker\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://d:\iespell_checker\ieSpell\wikipedia.HTM
Trusted Zone: amaena.com
Trusted Zone: kamisugi-ortho.com\www
Trusted Zone: turbotax.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - c:\program files\AIM6\aim6.exe
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe
AddRemove-cayahooantispy - c:\program files\CA Yahoo! Anti-Spy\uninstall.exe
AddRemove-DVD X Rescue - d:\program files\321Studios\DVD X Rescue\UNWISE.EXE
AddRemove-SimTown95v1 - d:\games\DeIsL1.isu
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1090749844-149777207-188667960-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-16 16:22
ComboFix-quarantined-files.txt 2009-11-17 02:21
ComboFix2.txt 2008-07-19 20:19

Pre-Run: 469,360,640 bytes free
Post-Run: 1,230,409,728 bytes free

- - End Of File - - 2FC14A8B38001B1C93EA6C156FFEC42F

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 17 November 2009 - 07:58 AM

You can reenable your programs after each scan. :(


the Combofix scan was a disappointment really. Popcaploader has been removed, which is your likely pop-up cause but nothing else has been found. So your PC should be free of pop-ups now? Is that the case?


Let's run MBAM to clean up

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#9 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 17 November 2009 - 01:02 PM

Hi m0le,

No more Popups! :( I also notice that my computer is running faster and there is a lot more space available on my C drive. I'm really happy about that!

Were we hoping to find anything else, besides thePopcaploader, with the Combofix scan? I'm just following your lead here as I have know clue what I'm looking for.

I am running Malwarebytes' as per your instructions and will post the log when it is done. Thanks again!

#10 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 18 November 2009 - 11:47 AM

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3

11/18/2009 6:15:06 AM
mbam-log-2009-11-18 (06-15-06).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 259394
Time elapsed: 17 hour(s), 26 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir (Adware.PopCap) -> Quarantined and deleted successfully.

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 18 November 2009 - 07:33 PM

Well, Tricia, that managed to delete Combofix's quarantined Popcap file.

Let's run the ESET online scanner to pick off any stray infected files

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Thanks :(
Posted Image
m0le is a proud member of UNITE

#12 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 19 November 2009 - 12:33 PM

Hi m0le, Scan didn't find any threats, so it didn't give me the option of saving a file. Is that correct? ...
Posted Image

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 19 November 2009 - 04:19 PM

Yes, that is very correct :(

You're clean. Good stuff! :(

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Comfix /Uninstall in the runbox and click OK. (Notice the space between "Comfix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it TriciaM808, happy surfing!

Cheers.

m0le
Posted Image
m0le is a proud member of UNITE

#14 TriciaM808

TriciaM808
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Location:Honolulu
  • Local time:04:19 AM

Posted 20 November 2009 - 12:24 PM

Hi M0le!

Thanks for everything! :(

I was able to uninstall combofix and downloaded and ran OTC. It went through the process as you described but it didn't get rid of the DDS logs and the Win32kDiag program and it's file that are on my desktop. Is there another way for me to get rid of these items?

I have another question for you. In the MalwareBytes program, the files that are quarantined ... Is it safe for me to delete them?

Thanks for your time!

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:19 PM

Posted 20 November 2009 - 02:51 PM

Hi Tricia,

You can delete Win32diag and DDS by just right clicking and deleting or dragging them into the recycle bin.

You can also delete MBAM quarantine items safely. Enjoy the feeling of making this evil stuff disappear :(

Cheers,

m0le
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users