Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bogus Malware anti virus


  • This topic is locked This topic is locked
19 replies to this topic

#1 banafran

banafran

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 14 January 2010 - 04:11 PM

At start up I get
SECURITY WARNING! Windows security alert. Application cannot be executed. Do you want to activate your antivirus software now?
And/or: SPYWARE ALERT with the same message. OR: INFILTRATION ALERT with the same message.

Here is my DDS.txt and below that the Root Repeal report.


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Administrator at 14:38:14.37 on Thu 01/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.732 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IJOLA5U7\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com
mWindow Title = Microsoft Internet Explorer presented by Comcast
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ModemOnHold] "c:\program files\netwaiting\netWaiting.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Document Manager] "c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe"
mRun: [MP10_EnsureFileVer] "c:\windows\inf\unregmp2.exe" /EnsureFileVersions
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\embass~1.lnk - c:\program files\wave systems corp\services manager\secure update\AutoUpdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 91.212.65.122 browser-security.microsoft.com
Hosts: 91.212.65.122 antiwareprotect.com
Hosts: 91.212.65.122 www.antiwareprotect.com

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-21 108552]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-4-21 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-4-21 1205760]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-21 335240]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-21 27784]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-21 297752]
S2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2002-9-20 53248]
S3 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2002-9-20 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\ca\sharedcomponents\ca_lic\lic98rmtd.exe [2002-9-20 77824]

=============== Created Last 30 ================

2010-01-14 16:44:40 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-01-14 16:44:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 16:44:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 16:44:34 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 16:44:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-14 14:48:59 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-01-14 14:05:15 0 d-sh--w- c:\documents and settings\administrator\IETldCache
2010-01-13 11:24:14 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-14 19:16:55 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-01-14 19:16:52 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-01-14 01:14:41 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-14 01:14:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-23 00:22:58 17668 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-28 14:40:47 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-21 16:45:04 33792 ----a-w- c:\windows\system32\identprv.dll
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00:55 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 14:58:48 263552 ------w- c:\windows\system32\dllcache\http.sys

============= FINISH: 14:38:48.67 ===============


ROOT REPEAL RPT.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/14 15:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6DD3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B30000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xF6489000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 16 January 2010 - 03:54 PM


Hello banafran smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please perform the following:



Download GMER Rootkit Scanner from here to your desktop.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Registry
    • Files
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries











Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 09:54 AM

I am in safe mode because I can't get the GMER Rootkit scanner to run ion windows reg mode. I can't get to the save button because the screen rez. I tried tabbing to get to it (based on the picture) but it goes from Scan button to OK and Cancel.

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 19 January 2010 - 10:46 AM

Do you have the use of another computer and a pen drive?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 10:51 AM

Yes. I installed the GMER Rootkit and can run it, but I can't save the log file. That's the SAVE I can't get to. Trying agian in reg mode. I'll let you know in a minute.

#6 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 11:03 AM

OK, I got the GMER rootkit scan to work. Here is the log.



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 10:56:38
Windows 5.1.2600 Service Pack 2
Running: lr6z0ifp.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pfloapod.sys


---- System - GMER 1.0.15 ----

SSDT 865C72F0 ZwAllocateVirtualMemory
SSDT 865C7398 ZwCreateKey
SSDT 865C7578 ZwCreateProcess
SSDT 865ACE90 ZwCreateProcessEx
SSDT 865A3650 ZwCreateThread
SSDT 8658B208 ZwDeleteKey
SSDT 865E8138 ZwDeleteValueKey
SSDT 86555B28 ZwQueueApcThread
SSDT 865CD238 ZwReadVirtualMemory
SSDT 865A62C8 ZwRenameKey
SSDT 865741A0 ZwSetContextThread
SSDT 864EF148 ZwSetInformationKey
SSDT 865A30A8 ZwSetInformationProcess
SSDT 865A4218 ZwSetInformationThread
SSDT 865C0488 ZwSetValueKey
SSDT 865A79D0 ZwSuspendProcess
SSDT 8659E238 ZwSuspendThread
SSDT 86586390 ZwTerminateProcess
SSDT 865E11A0 ZwTerminateThread
SSDT 865C7278 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 8640D100
Device \Driver\Tcpip \Device\Ip 8632E4A8
Device \Driver\Tcpip \Device\Ip 8623E100
Device \Driver\Tcpip \Device\Ip 8658CAC0
Device \Driver\Tcpip \Device\Ip 8581E120
Device \Driver\Tcpip \Device\Ip 857640A8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp 8640D100
Device \Driver\Tcpip \Device\Tcp 8632E4A8
Device \Driver\Tcpip \Device\Tcp 8623E100
Device \Driver\Tcpip \Device\Tcp 8658CAC0
Device \Driver\Tcpip \Device\Tcp 8581E120
Device \Driver\Tcpip \Device\Tcp 857640A8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp 8640D100
Device \Driver\Tcpip \Device\Udp 8632E4A8
Device \Driver\Tcpip \Device\Udp 8623E100
Device \Driver\Tcpip \Device\Udp 8658CAC0
Device \Driver\Tcpip \Device\Udp 8581E120
Device \Driver\Tcpip \Device\Udp 857640A8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp 8640D100
Device \Driver\Tcpip \Device\RawIp 8632E4A8
Device \Driver\Tcpip \Device\RawIp 8623E100
Device \Driver\Tcpip \Device\RawIp 8658CAC0
Device \Driver\Tcpip \Device\RawIp 8581E120
Device \Driver\Tcpip \Device\RawIp 857640A8

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\IPMULTICAST 8640D100
Device \Driver\Tcpip \Device\IPMULTICAST 8632E4A8
Device \Driver\Tcpip \Device\IPMULTICAST 8623E100
Device \Driver\Tcpip \Device\IPMULTICAST 8658CAC0
Device \Driver\Tcpip \Device\IPMULTICAST 8581E120
Device \Driver\Tcpip \Device\IPMULTICAST 857640A8
Device \FileSystem\Fastfat \Fat A89CCC8A

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#7 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 19 January 2010 - 11:27 AM

I would like for you to try ComboFix next. It is highly important you get the Recovery Console installed before it is run and it really needs to be run in normal mode. If you can't get it on your computer and running correctly we may have to try downloading it from a clean computer onto a pen drive and running it from there.



Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#8 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 12:08 PM

I downloaded to my desktop, but in regular mode I can't do anything. I am trying to be patient but everything is frozen.

#9 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 12:32 PM

Running Combo Fix! Be with you shortly with a log!

#10 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 12:49 PM

Here is the ComboFix log.

ComboFix 10-01-18.03 - Administrator 01/19/2010 12:34:22.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.521 [GMT -5:00]
Running from: E:\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\Webroot\WEBROO~1\Backup\ntSVc.ocx
c:\program files\Shared
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-19 to 2010-01-19 )))))))))))))))))))))))))))))))
.

2010-01-19 14:17 . 2010-01-19 14:17 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-01-15 20:04 . 2010-01-15 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-15 20:04 . 2010-01-15 20:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-14 16:44 . 2010-01-14 16:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-14 16:44 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 16:44 . 2010-01-14 16:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-14 16:44 . 2010-01-14 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-14 16:44 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 14:48 . 2010-01-14 14:48 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-01-14 14:05 . 2010-01-14 14:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-13 11:24 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 17:39 . 2006-06-21 16:55 16896 ----a-w- c:\windows\system32\Rpcnetp.exe
2010-01-19 17:39 . 2006-06-13 01:38 56680 ----a-w- c:\windows\system32\rpcnet.dll
2010-01-19 17:25 . 2009-04-21 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-14 01:14 . 2008-10-22 02:16 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-01-14 01:14 . 2008-10-22 02:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-12-11 04:40 . 2009-02-08 23:58 -------- d-----r- c:\program files\Skype
2009-11-26 21:27 . 2009-11-26 21:27 -------- d-----w- c:\program files\Common Files\Skype
2009-11-26 21:27 . 2008-10-13 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-23 12:18 . 2009-11-23 12:18 -------- d-----w- c:\program files\Amazon
2009-11-23 00:22 . 2009-11-23 00:22 17668 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-22 18:46 . 2009-09-24 21:58 -------- d-----w- c:\program files\QuickTime
2009-11-21 16:36 . 2004-08-11 22:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-03 00:51 . 2009-11-03 00:51 9728 ----a-w- c:\windows\system32\wceprv.dll
2009-10-29 07:45 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-09 19:06 764296 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-09 764296]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-04-06 17:26 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 602182]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-03-09 98304]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2004-08-04 208896]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe [2005-6-16 49152]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-12 24576]
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2005-11-30 192512]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-10-21 66864]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-25 12:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Best Buy Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [4/21/2009 9:14 AM 29808]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/21/2009 12:36 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/21/2009 12:36 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/21/2009 12:35 PM 297752]
R2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [9/20/2002 11:29 AM 53248]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/21/2009 9:14 AM 1205760]
S3 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\lic98rmt.exe [9/20/2002 11:27 AM 77824]
S3 CA_LIC_SRVR;CA License Server;c:\program files\CA\SharedComponents\CA_LIC\lic98rmtd.exe [9/20/2002 11:41 AM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-01-19 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-09 19:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com
mWindow Title = Microsoft Internet Explorer presented by Comcast
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-19 12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-570363974-1349591179-3666181209-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,0b,17,63,e0,c7,b8,47,90,59,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e5,0b,17,63,e0,c7,b8,47,90,59,fe,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll

- - - - - - - > 'explorer.exe'(7288)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rpcnet.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v2.0.7\bin\tcsd_win32.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Apoint\HidFind.exe
c:\program files\Apoint\Apntex.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-19 12:44:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-19 17:44

Pre-Run: 59,164,614,656 bytes free
Post-Run: 59,612,200,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - A1D65D3BD55479C8044E6EACA15F1532


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 19 January 2010 - 01:16 PM

We need to get one of these two AVs off of your computer. Although they may be disabled having two AVs can cause conflicts within your machine and can often lead to lock-up so what we need to do before going any further is to eliminate the possibility of this being part of the problem.

Please go to Add/Remove and take off one of the two listed below:

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 01:19 PM

Do you want me to run another ComboFix scan after that??

#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 19 January 2010 - 01:30 PM

No, let's don't do that yet. Just remove one of them and then give me a rundown of any problems which still exist and we'll go from there.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 banafran

banafran
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:21 AM

Posted 19 January 2010 - 02:35 PM

Looks like I'm clean! Thanks!

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:21 AM

Posted 19 January 2010 - 03:16 PM

That's good news. There's still some things which need taking care of and I would like you to run one more scan before we clean off the tools we used just to make sure nothing is left.



Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.




Pay particular attention to this. I have been reading reports of people being infected through Java so you need to update and remove a lot of those older versions which are still on your machine.

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.






It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users