Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Security 2010 Malware


  • Please log in to reply
3 replies to this topic

#1 XXPrimusXX

XXPrimusXX

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 18 January 2010 - 08:57 AM

I had Internet Security 2010 Malware/Scareware pop up, and I immediately found and followed the guide on your site and killed the program, removed all associated files/folders, deleted all registry entries left by the program, ran Malware Bytes, Ad-Aware, Spybot, HijackThis and a the few programs specified on the site. I was told to copy and paste this file log for further help:



DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 5:18:13.40 on Mon 01/18/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.232 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
D:\Program Files\AVG\AVG9\avgchsvx.exe
D:\Program Files\AVG\AVG9\avgrsx.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\system32\spoolsv.exe
svchost.exe
D:\Program Files\AVG\AVG9\avgwdsvc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\CyberLink\Shared files\RichVideo.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\AVG\AVG9\avgnsx.exe
D:\Program Files\AVG\AVG9\avgemc.exe
D:\Program Files\AVG\AVG9\avgcsrvx.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\PROGRA~1\AVG\AVG9\avgtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Trillian\trillian.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Installs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [MSMSGS] "d:\program files\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [PinnacleDriverCheck] d:\windows\system32\\PSDrvCheck.exe
mRun: [TkBellExe] "d:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [UpdatePDRShortCut] "d:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "d:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mRun: [Malwarebytes Anti-Malware (reboot)] "d:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] d:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [smss32.exe] d:\windows\system32\smss32.exe
mRunOnce: [Malwarebytes' Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: d:\docume~1\admini~1\startm~1\programs\startup\adobeg~1.lnk - d:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
LSP: d:\windows\system32\helper32.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ii6kfqdu.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: d:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: d:\documents and settings\administrator\application data\mozilla\firefox\profiles\ii6kfqdu.default\extensions\justintvpublisher@justin.tv\platform\winnt_x86-msvc\plugins\npjustintvpublish.dll
FF - plugin: d:\program files\veetle\player\npvlc.dll
FF - plugin: d:\program files\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;d:\windows\system32\drivers\Lbd.sys [2009-10-14 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\drivers\avgldx86.sys [2009-10-13 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;d:\windows\system32\drivers\avgmfx86.sys [2009-10-13 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\drivers\avgtdix.sys [2009-10-13 360584]
R2 avg9emc;AVG Free E-mail Scanner;d:\program files\avg\avg9\avgemc.exe [2009-11-14 906520]
R2 avg9wd;AVG Free WatchDog;d:\program files\avg\avg9\avgwdsvc.exe [2009-11-14 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R3 MBAMSwissArmy;MBAMSwissArmy;d:\windows\system32\drivers\mbamswissarmy.sys [2009-10-14 38224]

=============== Created Last 30 ================


==================== Find3M ====================

2010-01-08 00:07:14 38224 ----a-w- d:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07:04 19160 ----a-w- d:\windows\system32\drivers\mbam.sys
2010-01-06 03:02:38 2256 ----a-w- d:\windows\current_settings.bin
2009-11-15 06:22:53 12464 ----a-w- d:\windows\system32\avgrsstx.dll
2009-10-29 05:38:23 667136 ----a-w- d:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- d:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- d:\windows\system32\httpapi.dll

============= FINISH: 5:19:00.50 ===============



I just want to make sure I kill this sucker before it gets any worse. Any help will be greatly appreciated, thank you in advance. smile.gif

XXPrimusXX

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:36 PM

Posted 24 January 2010 - 11:31 AM

Hello XXPrimusXX,



Sorry about the delay.sad.gif If you still need help, please let me know and I'll be glad to help. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 XXPrimusXX

XXPrimusXX
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:36 PM

Posted 26 January 2010 - 02:26 AM

Well, the only problem I'm running into now is that whenever I visit certain pages, my browser is automatically redirected to some BS advertisements.

It seems to happen at random other times, but is always related to the stuff I'm browsing. So my guess is that there a nice little program in my PC that is tracking all the pages I'm visiting.

Any suggestions?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:10:36 PM

Posted 26 January 2010 - 01:53 PM

Hi there,

Is it just when you use Firefox? Or does it affect IE as well? I see you have MBAM....does it come out clean when you run a scan? Let me know so I know which way to start. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users