Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adult Friend Finder popup/ Fake AV popups


  • This topic is locked This topic is locked
13 replies to this topic

#1 kmadams23

kmadams23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 27 January 2010 - 06:00 PM

Hey guys,

So, I got infected today. First it was some .dll and a trojan (captcha.dll and fios32.dll and the koobface trojan). After using nod32 and Windows Malware Remover programs I was able to remove those issues.

But after fixing that, I now have a new problem (which was not happening while I was fixing the other issues) - I get IE windows which pop up (I don't even use IE) randomly. Sometimes these are adult friend finder ads. Other times it will be some sort of fake "your computer is infected, please download this for free scans" blah blah. There are 2 or 3 different types of these. Sometimes it tries to take me to extrasecurityrisk.com, sometimes it says it's for a program called Personal Security, and I believe there is one other.

Rootrepeal log is not done because I am on 64 bit system, but here are the other logs.


DDS (Ver_09-12-01.01) - NTFSX64
Run by User at 17:51:52.20 on Wed 01/27/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4091.2819 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\XSrvSetup.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\NCSoft\Launcher\NCLauncher.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\pp14.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Users\User\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~2\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files (x86)\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [EA Core] "c:\program files (x86)\electronic arts\eadm\Core.exe" -silent
uRun: [Steam] "c:\program files (x86)\steam\Steam.exe" -silent
uRun: [Messenger (Yahoo!)] "c:\progra~2\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim] "c:\program files (x86)\aim\aim.exe" /d locale=en-US
mRun: [NUSB3MON] "c:\program files (x86)\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld16.exe
mRun: [pp] c:\windows\pp14.exe
mRun: [Captcha7] rundll "c:\program files (x86)\captcha.dll",captcha
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
Hosts: 85.13.206.114 uuu20091124.info
Hosts: 85.13.206.114 u07012010u.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\h4797sdb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\drivers\mv91cons.sys [2009-10-9 22568]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-11-16 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-12-18 123200]
R2 JMB36X;JMB36X;c:\windows\syswow64\XSrvSetup.exe [2009-12-29 65536]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-12-29 27136]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-10-26 75264]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-10-26 176640]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-12-29 239616]
S2 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2009-7-13 27136]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-5 25832]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-12-29 50688]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2009-12-29 24064]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-12-29 50688]

=============== Created Last 30 ================

2010-01-27 21:06:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-01-27 20:01:04 39936 ----a-w- c:\windows\rdr_1264622462.exe
2010-01-27 17:06:15 0 d-----w- c:\program files\ESET
2010-01-27 16:48:00 31744 ---h--w- c:\windows\pp14.exe
2010-01-27 16:48:00 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-01-27 16:47:58 74114 ----a-w- c:\windows\rdr_1264610873.exe
2010-01-27 16:47:52 2 ----a-w- c:\windows\010112010146114101.xxe
2010-01-27 16:47:51 2 ----a-w- c:\windows\0101120101465348.xxe
2010-01-27 16:47:49 2 ----a-w- c:\windows\01011201014650115.xxe
2010-01-27 16:46:23 2 ----a-w- c:\windows\010112010146101105.rx
2010-01-27 16:46:11 36352 ----a-w- c:\windows\ld16.exe
2010-01-26 23:01:40 0 d-----w- c:\programdata\AIM
2010-01-26 23:01:39 0 d-----w- c:\program files (x86)\common files\Software Update Utility
2010-01-26 23:01:39 0 d-----w- c:\program files (x86)\AIM
2010-01-26 23:01:38 0 d-----w- c:\program files (x86)\common files\AOL
2010-01-26 23:01:22 348 ---ha-w- C:\IPH.PH
2010-01-20 22:41:31 0 d-----w- c:\programdata\Yahoo! Companion
2010-01-20 22:41:23 0 d-----w- c:\programdata\Yahoo!
2010-01-20 22:39:32 0 d-----w- c:\program files (x86)\Yahoo!
2010-01-19 17:25:28 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-19 17:25:28 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2010-01-19 17:25:28 107368 ----a-w- c:\windows\syswow64\GEARAspi.dll
2010-01-19 17:25:03 0 d-----w- c:\programdata\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}
2010-01-19 17:25:03 0 d-----w- c:\program files\iTunes
2010-01-19 17:25:03 0 d-----w- c:\program files\iPod
2010-01-19 17:25:03 0 d-----w- c:\program files (x86)\iTunes
2010-01-19 17:22:35 0 d-----w- c:\program files\Bonjour
2010-01-19 17:22:35 0 d-----w- c:\program files (x86)\Bonjour
2010-01-19 17:22:21 0 d-----w- c:\programdata\Apple Computer
2010-01-19 17:22:01 0 d-----w- c:\program files\common files\Apple
2010-01-19 17:21:47 0 d-----w- c:\programdata\Apple
2010-01-13 14:14:41 148480 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 14:14:41 108544 ----a-w- c:\windows\syswow64\t2embed.dll
2010-01-13 14:14:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 14:14:40 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-01-12 22:10:50 0 d-----w- c:\program files\Microsoft Office
2010-01-12 22:10:06 0 d-----w- c:\programdata\Microsoft Help
2010-01-05 17:27:03 0 d-----w- c:\programdata\BioWare
2010-01-05 17:19:57 0 d-----w- c:\windows\1C4551A64743409391E41477CD655043.TMP
2010-01-05 17:19:51 0 d-----w- c:\programdata\Media Center Programs
2010-01-05 17:10:31 0 d-----w- c:\program files (x86)\Dragon Age
2010-01-05 17:10:31 0 d-----w- c:\program files (x86)\common files\BioWare
2010-01-05 15:09:45 0 d-----w- c:\program files (x86)\common files\Steam
2010-01-05 15:09:44 0 d-----w- c:\program files (x86)\Steam
2010-01-05 15:07:37 0 d-----w- c:\programdata\Electronic Arts
2010-01-05 14:41:56 0 d--h--w- c:\programdata\CanonBJ
2010-01-05 05:06:55 0 d-----w- c:\windows\solcache
2010-01-05 05:06:43 0 d-----w- C:\SIERRA
2010-01-05 05:06:43 0 d-----w- c:\program files (x86)\Sierra On-Line
2010-01-05 05:06:33 414 ----a-w- c:\windows\SIERRA.INI
2010-01-05 04:46:22 304128 ----a-w- c:\windows\IsUninst.exe
2009-12-31 03:16:20 0 d-----w- c:\program files (x86)\NeoCore Games
2009-12-31 00:12:07 0 d-----w- c:\windows\syswow64\AGEIA
2009-12-31 00:11:31 0 d-----w- c:\programdata\Divinity 2
2009-12-31 00:07:40 0 d-----w- c:\program files (x86)\Divinity II - Ego Draconis - Demo
2009-12-30 19:17:28 0 d-----w- c:\programdata\Adobe
2009-12-30 18:46:27 0 d-----w- c:\users\user\Tracing
2009-12-30 18:40:16 0 d-----w- c:\program files (x86)\Microsoft
2009-12-30 18:40:00 0 d-----w- c:\program files (x86)\Windows Live SkyDrive
2009-12-30 18:39:22 0 d-----w- c:\windows\PCHEALTH
2009-12-30 18:37:07 0 d-----w- c:\program files (x86)\common files\Windows Live
2009-12-30 14:47:27 45 ----a-w- c:\windows\syswow64\initdebug.nfo
2009-12-30 14:47:27 0 d-----w- c:\program files (x86)\SpeedFan
2009-12-30 14:37:53 0 d-----w- c:\programdata\WinZip
2009-12-30 09:10:51 0 d-----w- c:\windows\Panther
2009-12-30 01:37:04 0 d-----w- c:\programdata\Sony Online Entertainment
2009-12-30 01:07:00 0 d-----w- c:\program files\Ventrilo
2009-12-30 01:06:58 262 ----a-w- c:\windows\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
2009-12-30 01:06:42 0 d-----w- c:\program files (x86)\common files\Wise Installation Wizard
2009-12-29 23:50:50 96 ----a-w- c:\windows\za_mv_seqnum.ev
2009-12-29 23:50:50 704 ----a-w- c:\windows\za_mv_raid.ev
2009-12-29 23:47:34 97792 ----a-w- c:\windows\system32\RTNUninst64.dll
2009-12-29 23:47:34 67584 ----a-w- c:\windows\system32\RtNicProp64.dll
2009-12-29 23:47:34 239616 ----a-w- c:\windows\system32\drivers\Rt64win7.sys
2009-12-29 23:46:40 50688 ----a-w- c:\windows\system32\drivers\RtTeam60.sys
2009-12-29 23:46:40 27136 ----a-w- c:\windows\system32\drivers\RtNdPt60.sys
2009-12-29 23:46:40 24064 ----a-w- c:\windows\system32\drivers\RtVlan60.sys
2009-12-29 23:42:05 0 d-----w- c:\program files (x86)\Marvell
2009-12-29 23:40:30 65536 ----a-w- c:\windows\syswow64\XSrvSetup.exe
2009-12-29 23:40:30 1970176 ----a-w- c:\windows\syswow64\xRaidSetup.exe
2009-12-29 23:40:30 151552 ----a-w- c:\windows\syswow64\xRaidAPI.dll
2009-12-29 23:40:30 0 d-----w- C:\RaidTool
2009-12-29 23:40:23 0 d-----w- c:\windows\RaidTool
2009-12-29 23:39:29 0 d-----w- c:\program files\Realtek
2009-12-29 23:39:06 0 d-----w- c:\program files (x86)\Realtek
2009-12-29 23:39:04 0 d--h--w- c:\program files (x86)\Temp
2009-12-29 23:37:57 53248 ----a-w- c:\windows\syswow64\CSVer.dll
2009-12-29 23:37:49 0 d-----w- C:\Intel
2009-12-29 23:37:06 0 d-----w- c:\program files (x86)\NEC Electronics
2009-12-29 23:11:47 0 d-----w- c:\program files (x86)\NCSoft
2009-12-29 23:06:16 0 d-----w- c:\programdata\ESET
2009-12-29 23:02:15 0 d-----w- c:\users\user\appdata\roaming\Tropico 3
2009-12-29 23:00:59 0 d-----w- c:\windows\syswow64\Macromed
2009-12-29 22:04:49 0 d-----w- c:\program files (x86)\Kalypso
2009-12-29 21:59:57 52864 ----a-r- c:\windows\syswow64\SetupWizard.exe
2009-12-29 18:05:37 0 d-----w- c:\programdata\NVIDIA
2009-12-29 18:05:18 0 d-sh--w- c:\windows\Installer
2009-12-29 18:05:13 541800 ----a-w- c:\windows\system32\nvuninst.exe
2009-12-29 17:57:29 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-12-29 17:57:29 2048 ----a-w- c:\windows\system32\tzres.dll
2009-12-29 17:57:21 311808 ----a-w- c:\windows\system32\msv1_0.dll
2009-12-29 17:57:21 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2009-12-29 17:56:07 1975296 ----a-w- c:\windows\system32\CertEnroll.dll
2009-12-29 17:56:07 11406336 ----a-w- c:\windows\syswow64\wmp.dll
2009-12-29 17:56:06 982600 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-12-29 17:56:06 366080 ----a-w- c:\windows\system32\atmfd.dll
2009-12-29 17:56:06 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2009-12-29 17:56:06 1320960 ----a-w- c:\windows\syswow64\CertEnroll.dll
2009-12-29 17:56:06 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2009-12-29 17:56:06 12625408 ----a-w- c:\windows\syswow64\wmploc.DLL
2009-12-29 17:56:05 46592 ----a-w- c:\windows\system32\msasn1.dll
2009-12-29 17:56:05 34816 ----a-w- c:\windows\syswow64\msasn1.dll
2009-12-29 17:39:57 212352 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-01-11 07:12:38 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-12-19 09:51:24 1192960 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02:55 977920 ----a-w- c:\windows\syswow64\wininet.dll
2009-12-19 09:02:53 1224704 ----a-w- c:\windows\syswow64\urlmon.dll
2009-12-19 09:02:42 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-12-19 09:02:42 5961728 ----a-w- c:\windows\syswow64\mshtml.dll
2009-12-19 09:02:38 10976768 ----a-w- c:\windows\syswow64\ieframe.dll
2009-12-18 20:02:26 123200 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-12-08 10:34:42 332320 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2009-12-08 10:34:42 1692192 ----a-w- c:\windows\system32\RtPgEx64.dll
2009-12-08 10:34:36 149536 ----a-w- c:\windows\system32\RtkCfg64.dll
2009-12-08 10:34:30 475680 ----a-w- c:\windows\system32\RtkApi64.dll
2009-12-08 10:34:30 1639456 ----a-w- c:\windows\system32\RtkAPO64.dll
2009-12-08 10:34:30 1201184 ----a-w- c:\windows\system32\RTCOM64.dll
2009-12-08 10:34:24 66592 ----a-w- c:\windows\system32\RCoInst64.dll
2009-12-08 10:20:14 2223392 ----a-w- c:\windows\system32\drivers\RTKVHD64.sys
2009-12-04 10:26:12 328096 ----a-w- c:\windows\system32\FMAPO64.dll
2009-11-24 09:40:20 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-24 01:55:08 518896 ----a-w- c:\windows\system32\SRSTSX64.dll
2009-11-24 01:55:08 211184 ----a-w- c:\windows\system32\SRSTSH64.dll
2009-11-24 01:55:08 198896 ----a-w- c:\windows\system32\SRSHP64.dll
2009-11-24 01:55:08 155888 ----a-w- c:\windows\system32\SRSWOW64.dll
2009-11-18 10:42:48 325904 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2009-11-18 10:42:48 2719504 ----a-w- c:\windows\system32\WavesGUILib.dll
2009-11-18 10:42:48 2197264 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2009-11-17 10:12:40 108960 ----a-w- c:\windows\system32\AERTAR64.dll
2009-11-17 10:09:04 168864 ----a-w- c:\windows\system32\AERTAC64.dll
2009-11-13 07:16:02 95744 ----a-w- c:\windows\system32\RTEEL64A.dll
2009-11-13 07:16:02 73216 ----a-w- c:\windows\system32\RTEEG64A.dll
2009-11-13 07:16:02 363008 ----a-w- c:\windows\system32\RTEEP64A.dll
2009-11-13 07:16:02 198656 ----a-w- c:\windows\system32\RTEED64A.dll
2009-10-31 06:34:59 2870272 ----a-w- c:\windows\explorer.exe
2009-10-31 05:45:39 2614272 ----a-w- c:\windows\syswow64\explorer.exe
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 05:12:52 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 17:52:02.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 04 February 2010 - 09:14 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results. Post both logs (no need to zip attach.txt).
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
Please be patient and I'd be grateful if you would note the following
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)
  • GMER log

Please do NOT post logs as attachments, unless you are unable to copy/paste a log directly in the reply box.


Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 04 February 2010 - 12:21 PM

I am out of town until Sunday. I will post my response with the required logs Monday. Just a notice so you don't close the thread.

Thanks

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 04 February 2010 - 12:23 PM

Thanks for letting me know smile.gif

I will keep this open until monday and then bump the topic in case you haven't replied yet.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 07 February 2010 - 06:12 AM

Bump in order to reset timestamp.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 February 2010 - 10:38 AM

GMER.log is empty... I got a popup warning saying it could not access some /system file because it was in use. I did disable my AV and all that, so I'm not sure why this is. After it scanned everything it could access I was told it found no activity.

DDS (Ver_09-12-01.01) - NTFSX64
Run by User at 10:28:23.11 on Mon 02/08/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4091.2778 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\XSrvSetup.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\program files (x86)\ncsoft\launcher\NCLauncher.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\Users\User\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~2\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~2\yahoo!\companion\installs\cpn\yt.dll
uRun: [PlayNC Launcher]
uRun: [NCsoft Launcher] c:\program files (x86)\ncsoft\launcher\NCLauncher.exe /Minimized
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
uRun: [EA Core] "c:\program files (x86)\electronic arts\eadm\Core.exe" -silent
uRun: [Steam] "c:\program files (x86)\steam\Steam.exe" -silent
uRun: [Messenger (Yahoo!)] "c:\progra~2\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim] "c:\program files (x86)\aim\aim.exe" /d locale=en-US
mRun: [NUSB3MON] "c:\program files (x86)\nec electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [Captcha7] rundll "c:\program files (x86)\captcha.dll",captcha
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
Hosts: 85.13.206.114 uuu20091124.info
Hosts: 85.13.206.114 u07012010u.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\h4797sdb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npdnupdater2.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 mv91cons;Marvell 91xx Config Device Driver;c:\windows\system32\drivers\mv91cons.sys [2009-10-9 22568]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-11-16 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-12-18 123200]
R2 JMB36X;JMB36X;c:\windows\syswow64\XSrvSetup.exe [2009-12-29 65536]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-12-29 27136]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2009-10-26 75264]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2009-10-26 176640]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-12-29 239616]
S2 fioo32;fioo32;c:\windows\system32\SvchOst.eXE -k fioo32 [2009-7-13 27136]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\dragon age\bin_ship\daupdatersvc.service.exe [2010-1-5 25832]
S3 RTTEAMPT;Realtek Teaming Protocol Driver (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-12-29 50688]
S3 RTVLANPT;Realtek Vlan Protocol Driver (NDIS 6.2);c:\windows\system32\drivers\RtVlan60.sys [2009-12-29 24064]
S3 TEAM;Realtek Virtual Miniport Driver for Teaming (NDIS 6.0);c:\windows\system32\drivers\RtTeam60.sys [2009-12-29 50688]

=============== Created Last 30 ================

2010-01-28 14:19:05 39936 ----a-w- c:\windows\rdr_1264688343.exe
2010-01-28 14:19:03 74036 ----a-w- c:\windows\rdr_1264688341.exe
2010-01-27 21:06:54 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-01-27 20:01:04 39936 ----a-w- c:\windows\rdr_1264622462.exe
2010-01-27 17:06:15 0 d-----w- c:\program files\ESET
2010-01-27 16:48:00 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-01-27 16:47:58 74114 ----a-w- c:\windows\rdr_1264610873.exe
2010-01-27 16:47:52 2 ----a-w- c:\windows\010112010146114101.xxe
2010-01-27 16:47:51 2 ----a-w- c:\windows\0101120101465348.xxe
2010-01-27 16:47:49 2 ----a-w- c:\windows\01011201014650115.xxe
2010-01-27 16:46:23 2 ----a-w- c:\windows\010112010146101105.rx
2010-01-26 23:01:40 0 d-----w- c:\programdata\AIM
2010-01-26 23:01:39 0 d-----w- c:\program files (x86)\common files\Software Update Utility
2010-01-26 23:01:39 0 d-----w- c:\program files (x86)\AIM
2010-01-26 23:01:38 0 d-----w- c:\program files (x86)\common files\AOL
2010-01-26 23:01:22 348 ---ha-w- C:\IPH.PH
2010-01-20 22:41:31 0 d-----w- c:\programdata\Yahoo! Companion
2010-01-20 22:41:23 0 d-----w- c:\programdata\Yahoo!
2010-01-20 22:39:32 0 d-----w- c:\program files (x86)\Yahoo!
2010-01-19 17:25:28 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-19 17:25:28 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2010-01-19 17:25:28 107368 ----a-w- c:\windows\syswow64\GEARAspi.dll
2010-01-19 17:25:03 0 d-----w- c:\programdata\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}
2010-01-19 17:25:03 0 d-----w- c:\program files\iTunes
2010-01-19 17:25:03 0 d-----w- c:\program files\iPod
2010-01-19 17:25:03 0 d-----w- c:\program files (x86)\iTunes
2010-01-19 17:22:35 0 d-----w- c:\program files\Bonjour
2010-01-19 17:22:35 0 d-----w- c:\program files (x86)\Bonjour
2010-01-19 17:22:21 0 d-----w- c:\programdata\Apple Computer
2010-01-19 17:22:01 0 d-----w- c:\program files\common files\Apple
2010-01-19 17:21:47 0 d-----w- c:\programdata\Apple
2010-01-13 14:14:41 148480 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 14:14:41 108544 ----a-w- c:\windows\syswow64\t2embed.dll
2010-01-13 14:14:41 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-01-13 14:14:40 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-01-12 22:10:50 0 d-----w- c:\program files\Microsoft Office
2010-01-12 22:10:06 0 d-----w- c:\programdata\Microsoft Help

==================== Find3M ====================

2010-01-14 16:12:06 212352 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 07:12:38 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2009-12-19 09:51:24 1192960 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 09:02:55 977920 ----a-w- c:\windows\syswow64\wininet.dll
2009-12-19 09:02:53 1224704 ----a-w- c:\windows\syswow64\urlmon.dll
2009-12-19 09:02:42 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2009-12-19 09:02:42 5961728 ----a-w- c:\windows\syswow64\mshtml.dll
2009-12-19 09:02:38 10976768 ----a-w- c:\windows\syswow64\ieframe.dll
2009-12-18 20:02:26 123200 ----a-w- c:\windows\system32\drivers\epfwwfpr.sys
2009-12-08 10:34:42 332320 ----a-w- c:\windows\system32\RtlCPAPI64.dll
2009-12-08 10:34:42 1692192 ----a-w- c:\windows\system32\RtPgEx64.dll
2009-12-08 10:34:36 149536 ----a-w- c:\windows\system32\RtkCfg64.dll
2009-12-08 10:34:30 475680 ----a-w- c:\windows\system32\RtkApi64.dll
2009-12-08 10:34:30 1639456 ----a-w- c:\windows\system32\RtkAPO64.dll
2009-12-08 10:34:30 1201184 ----a-w- c:\windows\system32\RTCOM64.dll
2009-12-08 10:34:24 66592 ----a-w- c:\windows\system32\RCoInst64.dll
2009-12-04 10:26:12 328096 ----a-w- c:\windows\system32\FMAPO64.dll
2009-11-24 09:40:20 838176 ----a-w- c:\windows\RtlExUpd.dll
2009-11-24 01:55:08 518896 ----a-w- c:\windows\system32\SRSTSX64.dll
2009-11-24 01:55:08 211184 ----a-w- c:\windows\system32\SRSTSH64.dll
2009-11-24 01:55:08 198896 ----a-w- c:\windows\system32\SRSHP64.dll
2009-11-24 01:55:08 155888 ----a-w- c:\windows\system32\SRSWOW64.dll
2009-11-18 10:42:48 325904 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2009-11-18 10:42:48 2719504 ----a-w- c:\windows\system32\WavesGUILib.dll
2009-11-18 10:42:48 2197264 ----a-w- c:\windows\system32\MaxxAudioEQ.dll
2009-11-17 10:12:40 108960 ----a-w- c:\windows\system32\AERTAR64.dll
2009-11-17 10:09:04 168864 ----a-w- c:\windows\system32\AERTAC64.dll
2009-11-13 07:16:02 95744 ----a-w- c:\windows\system32\RTEEL64A.dll
2009-11-13 07:16:02 73216 ----a-w- c:\windows\system32\RTEEG64A.dll
2009-11-13 07:16:02 363008 ----a-w- c:\windows\system32\RTEEP64A.dll
2009-11-13 07:16:02 198656 ----a-w- c:\windows\system32\RTEED64A.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 10:28:44.54 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/29/2009 12:24:13 PM
System Uptime: 2/8/2010 10:21:26 AM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P55A-UD4P
Processor: Intel® Core™ i7 CPU 860 @ 2.80GHz | Socket 1156 | 2794/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 931 GiB total, 820.493 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP20: 1/12/2010 5:09:16 PM - Installed Microsoft Office Home and Student 2007
RP21: 1/13/2010 9:17:12 AM - Windows Update
RP22: 1/19/2010 12:22:41 PM - Installed iTunes
RP23: 1/27/2010 11:49:54 AM - Windows Update
RP24: 1/27/2010 12:06:04 PM - Installed ESET NOD32 Antivirus
RP25: 1/27/2010 12:09:51 PM - Installed ESET NOD32 Antivirus
RP26: 1/27/2010 3:13:57 PM - Windows Update

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.2
AIM 7
Aion
Apple Application Support
Apple Software Update
Diagnostic Utility
Divinity II - Ego Draconis - Demo
Download Updater (AOL LLC)
Dragon Age: Origins
EA Download Manager
EA Download Manager UI
EA Installer
EA Shared Game Component: Activation
EverQuest II
Gigabyte Raid Cinfigurer
King Arthur DEMO v1.0
Linksys Wireless-N PCI Adapter WMP300N Driver - WMP300Nv1.1
Lords of Magic Demo
Microsoft Choice Guard
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.5.7)
MSVCRT
NCsoft Launcher
NEC Electronics USB 3.0 Host Controller Driver
NVIDIA PhysX
QuickTime
Realtek Ethernet Controller Driver For Windows Vista and Later
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Sierra Utilities
SpeedFan (remove only)
Steam
Tropico 3 1.02
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 (KB974561)
Update for Microsoft Office Word 2007 Help (KB963665)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinZip 14.0
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2/8/2010 10:21:56 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: fio32
2/8/2010 10:21:55 AM, Error: Service Control Manager [7023] - The fioo32 service terminated with the following error: The specified module could not be found.

==== End Of File ===========================





#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 08 February 2010 - 12:30 PM

Hello kmadams23,

GMER will not run since you have a 64 bit system. Nothing to worry about smile.gif

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 February 2010 - 03:45 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3709
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2/8/2010 3:44:52 PM
mbam-log-2010-02-08 (15-44-52).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 218208
Time elapsed: 19 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fio32 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fioo32 (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\captcha7 (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DLN85XD\pp.14[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUHR6LR6\pp.14[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q79695PJ\pp.14[1].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q79695PJ\pp.14[2].exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\rdr_1264610873.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\rdr_1264622462.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\rdr_1264688341.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\rdr_1264688343.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Windows\010112010146114101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\01011201014650115.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\0101120101465348.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
C:\Users\User\AppData\Local\Temp\zpskon_1264618901.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\Windows\010112010146101105.rx (Malware.Trace) -> Quarantined and deleted successfully.


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 08 February 2010 - 04:11 PM

Hello kmadams23,

That took out quite some koobface and related stuff! How are things running now?

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

In your next reply, please include the following:
  • Kaspersky scan results

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 February 2010 - 05:03 PM

Yeah, the initial infection was caught by Nod32 and reported as koobface and something else, supposedly quarantined, hah! It seems better, though. I'm no longer getting constant warnings from Nod32 saying things are detected which it is unable to clean. Which is nice, that was half of the annoyance - popups every minute from my AV repeating the you are infected message.

I can't get this next scan to run. No matter what browser I use it is telling me I don't have the required support for Java. It linked me to the Java site, and I downloaded the latest update for my system. Still won't work.

#11 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 February 2010 - 05:09 PM

Hmm, after trying to manually install Java, now the plugin bar pops up in firefox to install the missing stuff. Okay, weird, but it worked this time. Scanning now...

#12 kmadams23

kmadams23
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 February 2010 - 09:27 PM

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, February 8, 2010
Operating system: Microsoft (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, February 08, 2010 22:04:51
Records in database: 3451961
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Objects scanned 113372
Threats found 0
Infected objects found 0
Suspicious objects found 0
Scan duration 03:29:00

No threats found. Scanned area is clean.
Selected area has been scanned.

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 09 February 2010 - 03:01 AM

Hello kmadams23,

Looks good, unless you have any problems left, you are good to go!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Delete DDS, GMER (this is a random named file) and RootRepeal.
Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:57 PM

Posted 12 February 2010 - 02:47 PM

Since the issue seems to be resolved, this topic is now closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users