Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Inernet Security 2010 Virus


  • This topic is locked This topic is locked
75 replies to this topic

#1 RhonB

RhonB

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 05:28 PM

Hi,

I have written here before but never did get any responses, I hope it is not because I am posting incorrectly and if so, I aplogize but please help...need a response asap!

Today I suddenly got this Internet Security 2010 Scam/Virus...I went to your removal guide and have followed all the steps but keep getting stuck after #9.....when I open the Malawarebytes program...it does not update or scan...it freezes my whole computer (including my internet) and I end up having to re-start my computer, which re-starts the virus processes and I have to do the rkill process over again, then when I try to open the Malaware (again) it does the same thing over and over again. I have tried removing the old download of Malwarebytes from my system and re-downloading new...but the same thing keeps happening.

Please, somebody reply and guide me as to what to do about this as I cannot remove the virus...

Please help!

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 31 December 2009 - 06:31 PM

Hello RhonB, and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Kind regards
Net_Surfer

:(

#3 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 06:51 PM

Hi there, thanks for the reply!!!

When I click on the DDS links you posted...they do not open...I mean a window opens but it does not load...I am having the same problem with most things internet since this thing showed up on my pc. That is why I refuse to close THIS window...as I may never get back here without having to restart my computer and hence...restarting the trojan files processes.
Like I explained, I have been doing your removal guide steps but the Malwarebytes keeps freezing....

So now what do we do? :-( Do you want me to try and post a HJ log???

#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 31 December 2009 - 06:56 PM

Delete Rkill tool from your desktop by right click on it and choice delete and use this steps instead with it.
We need to use the RKill Tool by Grinler


Link #1
Link #2
Link #3
Link #4

  • Please Download Link #1. Save it to your Desktop.
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double click the RKill desktop icon to run the tool.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
NOTE:
1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.
*If the tool does not run from any of the links, Please tell me about it.


:( after you had run Rkill and without re-booting, Now try to scan with DDS and post the log back here for my review.

Regards
Net_Surfer

#5 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 07:07 PM

Ok, I deleted the previous rkill from my desktop...(althought it had let me run it before) I downloaded and ran Link #1...it worked...but when I go back to your DDS links...the window still opens but it does not load...or seems to be taking forever. Also, I normally run 2 anti-virus/malware protection programs....I went to close my Prevx and that was ok...but when I went to close my Cogeco (My Cable/ISP's software) it was closed...I had not closed it...I think the malware is doing that.

In any case...It seems I cannot get to the links for the DDS if they require another window to open and connect.

Sorry, forget to mention, I run Windows XP...

#6 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 07:12 PM

Ok I finally got one of threm downloaded...here is the DDS.txt log....

DDS (Ver_09-12-01.01) - NTFSx86
Run by Rhon at 19:08:25.53 on 31/12/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1267 [GMT -5:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
AV: COGECO Security Services 8.02 *On-access scanning enabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: COGECO Security Services 8.02 *enabled* {D4747503-0346-49EB-9262-997542F79BF4}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\COGECO Security Services\Anti-Virus\fsgk32st.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\COGECO Security Services\FWES\Program\fsdfwd.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\COGECO Security Services\FSGUI\fsguidll.exe
C:\WINDOWS\V0230Mon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HOTALBUMMyBOX\MediaChecker.exe
C:\Program Files\CASIO\YouTube Uploader for CASIO\YStart.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\FSGK32.EXE
C:\Program Files\COGECO Security Services\Anti-Virus\fssm32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Documents and Settings\Rhon\Desktop\dds.pif

============== Pseudo HJT Report ===============

uSearch Page =
uDefault_Page_URL = hxxp://partnerpage.google.com/smallbiz.dell.com/en_ca?hl=en&client=dell-row&channel=ca-smb&ibd=2080306
uSearch Bar =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant =
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
uURLSearchHooks: FCToolbarURLSearchHook Class: {0adb501b-f9c4-4c02-a9ed-2f605a0586e0} - c:\program files\mob wars toolbar\Helper.dll
mWinlogon: Userinit=c:\windows\system32\winlogon86.exe
BHO: {021eeca9-c9d8-49af-8be9-3f040f4f9165} - c:\windows\system32\d3dpmesh32.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Freecause Toolbar BHO: {28a27f58-704f-40e1-8053-28e909fbf604} - c:\program files\mob wars toolbar\Toolbar.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: jZip Webmail plugin: {647fd14a-c4f1-46f4-8fc3-0b40f54226f7} - c:\program files\jzip\WebmailPlugin.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Mob Wars Toolbar: {6857857c-15d3-435d-af19-e0217298b416} - c:\program files\mob wars toolbar\Toolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Internet Security 2010] c:\program files\internetsecurity2010\IS2010.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [PMX Daemon] ICO.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [F-Secure Manager] "c:\program files\cogeco security services\common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "c:\program files\cogeco security services\fsgui\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [V0230Mon.exe] c:\windows\V0230Mon.exe
mRun: [MBBalloon] c:\program files\hotalbummybox\MBBalloon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [winupdate86.exe] c:\windows\system32\winupdate86.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mediac~1.lnk - c:\program files\hotalbummybox\MediaChecker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\youtub~1.lnk - c:\program files\casio\youtube uploader for casio\YStart.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoWindowsUpdate = 0 (0x0)
dPolicies-explorer: NoDevMgrUpdate = 0 (0x0)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
dPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73C00} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\cogeco security services\fspc\fspcmsie.dll
IE: {200DB664-75B5-47c0-8B45-A44ACCF73F01} - {D68926FD-18FD-4B0E-A1C7-917D13FAB760} - c:\program files\cogeco security services\fspc\fspcmsie.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
LSP: c:\program files\cogeco security services\fsps\program\FSLSP.DLL
Trusted Zone: facebook.com\apps
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IPC Configuration Utility - No File
LSA: Notification Packages = scecli scecli
Hosts: 192.168.1.101 rhonda
Hosts: 192.168.1.100 home

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rhon\applic~1\mozilla\firefox\profiles\bwddzfgj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [2009-7-2 33920]
R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [2008-3-11 79872]
R0 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2009-1-30 17928]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-1-30 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [2009-4-18 27656]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2008-3-12 15172]
R1 F-Secure HIPS;F-Secure HIPS;c:\program files\cogeco security services\hips\drivers\fshs.sys [2009-7-2 67808]
R2 CSIScanner;CSIScanner;c:\program files\prevxcsi\prevxcsi.exe [2008-12-22 4368952]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;c:\program files\cogeco security services\anti-virus\fsgk32st.exe [2008-3-11 215648]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-12-18 24652]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\cogeco security services\anti-virus\minifilter\fsgk.sys [2008-3-11 107104]
R3 FSORSPClient;F-Secure ORSP Client;c:\program files\cogeco security services\orsp client\fsorsp.exe [2009-7-2 55904]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2008-3-21 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2008-3-21 14336]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [2006-3-24 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [2006-9-29 500480]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\cogeco security services\anti-virus\win2k\fsfilter.sys [2008-3-11 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\cogeco security services\anti-virus\win2k\fsrec.sys [2008-3-11 25184]

=============== Created Last 30 ================

2010-01-12 21:56:54 0 d-----w- c:\docume~1\rhon\applic~1\Malwarebytes
2010-01-12 21:56:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-12 18:28:11 1184 --sha-w- c:\windows\system32\1947574266
2010-01-12 18:28:10 817 ----a-w- c:\windows\system32\608554922
2010-01-12 18:27:54 0 d-sh--w- c:\windows\system32\SysWoW32
2010-01-12 18:26:28 203776 --sh--w- c:\windows\system32\unrar.exe
2010-01-12 18:26:28 0 d-----w- c:\windows\system32\376940749
2010-01-12 17:37:26 0 d-----w- c:\docume~1\rhon\applic~1\uTorrent
2010-01-12 05:19:59 0 d-----w- c:\program files\Trend Micro
2010-01-12 01:04:06 0 d-----w- c:\docume~1\rhon\applic~1\AVS4YOU
2010-01-12 01:01:50 0 d-----w- c:\program files\AVS4YOU
2009-12-31 22:01:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 22:01:36 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 22:01:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 19:57:51 0 d-----w- c:\program files\InternetSecurity2010
2009-12-31 19:57:47 0 ----a-w- c:\windows\system32\41.exe
2009-12-31 19:53:30 1 ----a-w- C:\s
2009-12-31 19:53:29 22016 ----a-w- c:\windows\system32\winupdate86.exe
2009-12-31 19:53:29 22016 ----a-w- c:\windows\system32\winlogon86.exe
2009-12-27 02:03:22 0 d-----w- C:\DeleteMaybe

==================== Find3M ====================

2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2008-06-03 23:13:08 5632 --sha-w- c:\program files\Thumbs.db
2008-12-23 23:34:30 162 --sha-w- c:\windows\system32\2756038570.dat
2009-02-07 01:33:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020620090207\index.dat

============= FINISH: 19:08:53.81 ===============


I am trying to zip and send the other one...but my zip isn't cooperating....still working on it....thanks

#7 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 07:15 PM

Sorry me again....got the attach.txt file zipped...how do I send it?

#8 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 07:18 PM

Found it....the Attach.zip file from the DDS scan is attached.....phew...

Thanks

#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 31 December 2009 - 07:25 PM

Hello RhonB... , and :( to Bleeping Computer Malware Removal Forum, My Nick is Net_Surfer I'll be glad to help you with your computer problems.

I will be working on your Malware issues, this may or may not solve other issues you may have with your machine.


I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. In order to be notified via email when your topic has a reply you need to enable topic notifications.

To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.
2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.
3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.
4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

-----------------------------------------------------------

Please be patient and I'd be grateful if you would note the following:

The cleaning process is not instant. DDS, ComboFix, RSIT and hijackthis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.

1. Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic.
2. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
3. All of my posts need to be checked by my coach before they are posted here your benefit will be "four eyes and two brains" looking into your problem, but my responses may be somewhat delayed so please be patient while I attempt to remove your malware.
4. Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

I will Propose a fix for your machine but I need to wait for a coach to OK it. In the meantime Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult..

Kind regards
Net_Surfer

:(

#10 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 07:30 PM

Ok Thanks Net Surfer...I will wait for your reply...and believe me...will always be appreciative of any help!!

If you respond after 8:30 PM I might be gone for a bit as I have to drive my teenage daughter to a New Years party...but I will be right back and will respond asap. I am anxious to get this fixed as I was working on a new years project and now thats on hold... :-(

Thanks again.

#11 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 08:52 PM

Hi me again...sorry to be a pain but.....I noticed (thanks to you) on my previous request for help on Dec. 13th that it took 2 weeks to get a reply. It doesn't normally take that long does it?? Please tell me that I will get a response tonight as now I cannot even get any emails, nor can I close this window as I will not be able to get back on.. and as I said, I was working on a special New Years project for my family.

So I guess what I am asking is...how long do you think it will be before you get back to me with a plan?

Sorry if I am being annoying...but I need my PC for work as well....ack!!!

Thanks in advance.

#12 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 31 December 2009 - 09:12 PM

Hi RhonB.

last time another helper answered your request for help but somehow you failed to receive an email notification, that is the why I posted instructions for you to follow so you can get my emails when I reply back to you.

At least check your topic once a day for replies.

After I propose a fix it usually takes a few hours to 24 hours for a coach to review my fix.. But I will be replying back to you if you can wait a few hours.. :(

Regards.
Net_Surfer
:(

#13 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 10:37 PM

Hi....

Yes...but the response was 2 weeks after I posted. :(

I can't even get emails now...so I have to keep watching and can't close this window.
I'm afraid my new years project isn't going to make it, is it?? :(

Waiting anxiously!

Thanks again...

#14 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 31 December 2009 - 10:40 PM

I will PM a coach to see if I can get somebody ok my fix.

Your machine is well infected with a backdoor trojan.

Please wait until I reply back with a post.

#15 RhonB

RhonB
  • Topic Starter

  • Members
  • 729 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Ontario, Canada
  • Local time:10:44 PM

Posted 31 December 2009 - 11:11 PM

Ok, thanks so much.

Just to keep you updated...the pc froze and I had to restart...so I ran the rkill again to stop the processes.
Good news is...I was able to get back to this page....but can only have one tab opened....and it got my email working again....for how long not sure... :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users