Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections! redirecting and blocking connectivity to virus scan sites


  • This topic is locked This topic is locked
2 replies to this topic

#1 Gaaval

Gaaval

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 30 January 2010 - 04:09 PM

Friends laptop is generally slow, and when surfing will get redirected to weird sites... also ive noticed when trying to update Trend Micro, it will not allow it to connect... nor will it allow it to connect to any site that could be helpful. Any help with this infested machine is greatly appreciated!

Also, running rootrepeal resulted in the program giving an error, i will post the error if desired.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 13:47:26.76 on Sat 01/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.893.110 [GMT -5:00]

AV: Trend Micro AntiVirus - Virus Protection *On-access scanning enabled* (Outdated) {9596F8E6-38C3-4C51-80B9-8C94D2E25B07}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
SP: McAfee VirusScan *enabled* (Updated) {C78B3C70-4777-4742-BB91-9D615CC575E6}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Trend Micro AntiVirus - Spyware Protection *enabled* (Outdated) {7241C815-3D0F-4059-9AF4-BF225B1D78B9}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\sYSteM32\SvchOst.eXE -k fioo32
C:\Toshiba\IVP\ISM\pinger.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\PremierOpinion\pmservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\webserver\webserver.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\PremierOpinion\pmropn.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
E:\kris\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://home.ez-tracks.com/?fromOMB=1
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: MRI_DISABLED - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [TOSCDSPD] "c:\program files\toshiba\toscdspd\TOSCDSPD.exe"
uRun: [1145860967] "c:\program files\toshiba" registration\registration.exe /r "c:\program files\toshiba registration\Registration.rpd"
uRun: [95641731] "c:\program files\toshiba" registration\bootinfo.exe /r "c:\program files\toshiba registration\BootInfo.rpd"
uRun: [Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
mRun: [StartCCC] "c:\program files\ati" technologies\ati.ace\core-static\CLIStart.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SVPWUTIL] "c:\program files\toshiba\utilities\SVPWUTIL.exe" SVPwUTIL
mRun: [TPwrMain] "c:\program files\toshiba\power saver\TPwrMain.EXE"
mRun: [HSON] "c:\program files\toshiba\tbs\HSON.exe"
mRun: [SmoothView] "c:\program files\toshiba\smoothview\SmoothView.exe"
mRun: [00TCrdMain] "c:\program files\toshiba\flashcards\TCrdMain.exe"
mRun: [KeNotify] "c:\program files\toshiba\utilities\KeNotify.exe"
mRun: [Trend Micro AntiVirus 2007] "c:\program files\trend micro\antivirus 2007\tavui.exe" -1 --delay 200
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Blubster] c:\program files\blubster\Blubster.exe SILENT
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [sysldtray] c:\windows\ld16.exe
mRun: [Captcha7] rundll "c:\program files\captcha.dll",captcha
mRun: [sysfbtray] c:\windows\freddy82.exe
mRun: [pp] c:\windows\pp14.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\vzacce~1.lnk - c:\program files\verizon wireless\vzaccess manager\VZAccess Manager.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\tmlsp.dll
Trusted Zone: reapplications.com
Trusted Zone: reapplications.com\MNKN
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {220D02A2-6F7F-4B02-B37C-0F9F61AFED33} - hxxp://mnkn.reapplications.com/ClientApps/iePrintTools.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3D3DBC64-0D21-4EA4-94EE-86D6D9B31C0C} - hxxp://www.worldwinner.com/games/v45/moneylist/moneylist.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {48F660FA-8B27-4815-947E-D6CD8C5BEC17} - hxxp://mnkn.reapplications.com/ClientApps/REAppsClientAuth.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\2crfj8pf.default\
FF - component: c:\program files\premieropinion\components\pmxg.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - HiddenExtension: *xg.dll: {6E19037A-12E3-4295-8915-ED48BC341614} - c:\program files\PremierOpinion

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 fio32;fio32;c:\windows\system32\drivers\fio32.sys [2010-1-24 59264]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-27 36368]

=============== Created Last 30 ================

2010-01-30 17:18:28 44032 ---h--w- c:\windows\pp14.exe
2010-01-30 17:18:28 1 ----a-w- c:\windows\fdgg34353edfgdfdf
2010-01-30 17:18:25 75264 ----a-w- c:\windows\rdr_1264871902.exe
2010-01-30 17:18:22 18432 --sh--r- c:\program files\captcha.dll
2010-01-30 17:18:20 61952 ----a-w- c:\windows\freddy82.exe
2010-01-30 16:31:29 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-30 14:52:03 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-30 14:51:07 0 d-----w- c:\programdata\Lavasoft
2010-01-30 14:51:07 0 d-----w- c:\program files\Lavasoft
2010-01-28 19:51:00 0 d-----w- c:\users\owner\appdata\roaming\AVG8
2010-01-25 05:29:45 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-25 05:14:07 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-01-25 05:14:04 396800 ----a-w- c:\windows\system32\drivers\http.sys
2010-01-25 05:14:04 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-01-25 04:53:45 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-01-25 04:53:44 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-01-25 04:53:42 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-01-25 04:53:42 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-01-25 04:53:42 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2010-01-25 04:53:42 11264 ----a-w- c:\windows\system32\icardres.dll
2010-01-25 04:53:38 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-01-25 04:53:23 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-01-25 02:47:41 59264 ----a-w- c:\windows\system32\drivers\fio32.sys
2010-01-25 02:47:41 50688 ----a-w- c:\windows\system32\fio32.dll
2010-01-25 02:47:38 0 d-----w- c:\program files\webserver
2010-01-25 02:47:27 1 ---h--w- c:\windows\bk23567.dat
2010-01-25 02:47:23 2 ----a-w- c:\windows\010112010146114101.xxe
2010-01-25 02:47:15 2 ----a-w- c:\windows\01011201014650115.xxe
2010-01-25 02:46:58 57344 ----a-w- c:\windows\ld16.exe
2010-01-19 07:28:09 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 05:05:00 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-18 05:05:00 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-01-18 05:02:50 0 d-----w- c:\program files\iPod
2010-01-18 05:02:29 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-01-18 05:02:28 0 d-----w- c:\program files\iTunes
2010-01-18 04:57:55 0 d-----w- c:\program files\Bonjour
2010-01-18 04:55:27 0 d-----w- c:\programdata\Apple Computer
2010-01-18 04:48:56 0 d-----w- c:\programdata\Apple

==================== Find3M ====================

2010-01-25 08:29:14 174 --sha-w- c:\program files\desktop.ini
2010-01-18 04:53:13 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-01-18 04:53:13 86016 ----a-w- c:\windows\inf\infstor.dat
2010-01-18 04:53:13 51200 ----a-w- c:\windows\inf\infpub.dat
2008-06-12 14:27:39 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 13:54:41.96 ===============









Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6000
Internet Explorer 8.0.6001.18702

1/30/2010 3:59:01 PM
mbam-log-2010-01-30 (15-58-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 301255
Time elapsed: 1 hour(s), 41 minute(s), 26 second(s)

Memory Processes Infected: 3
Memory Modules Infected: 6
Registry Keys Infected: 15
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 27

Memory Processes Infected:
C:\Program Files\PremierOpinion\pmropn.exe (Trojan.Agent) -> No action taken.
C:\Program Files\PremierOpinion\pmservice.exe (Trojan.Agent) -> No action taken.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> No action taken.

Memory Modules Infected:
C:\Program Files\PremierOpinion\msvcp71.dll (Trojan.Agent) -> No action taken.
C:\Program Files\PremierOpinion\msvcr71.dll (Trojan.Agent) -> No action taken.
C:\Program Files\PremierOpinion\pmls.dll (Trojan.Agent) -> No action taken.
C:\Program Files\PremierOpinion\components\pmxg.dll (Trojan.Agent) -> No action taken.
c:\Windows\System32\fio32.dll (Worm.KoobFace) -> No action taken.
C:\Program Files\captcha.dll (Spyware.OnlineGames) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286} (Adware.PremierOpinion) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fioo32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fio32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FIO32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\webserver (Worm.KoobFace) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SfX (Rootkit.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Trojan.Buzus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\fioo32 (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\captcha7 (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pp (Worm.KoobFace) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
C:\Program Files\premieropinion (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\components (Trojan.Agent) -> No action taken.

Files Infected:
C:\Windows\ld16.exe (Trojan.Buzus) -> No action taken.
C:\Users\Kris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OUDVBZVP\setup[1].exe (Trojan.Buzus) -> No action taken.
C:\Windows\System32\drivers\fio32.sys (Worm.Koobface) -> No action taken.
C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-2338054880-2711504773-926285554-1000\$R5JZHGU.exe (Trojan.Buzus) -> No action taken.
C:\$Recycle.Bin\S-1-5-21-2338054880-2711504773-926285554-1000\$RCU481S.exe (Trojan.Buzus) -> No action taken.
C:\Program Files\premieropinion\install.rdf (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\msvcp71.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\msvcr71.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmls.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmls64.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmoci.bin (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmph.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmropn.exe (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmropn64.exe (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmservice.exe (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\pmxf.dll (Trojan.Agent) -> No action taken.
C:\Program Files\premieropinion\components\pmxg.dll (Trojan.Agent) -> No action taken.
C:\Windows\010112010146114101.xxe (KoobFace.Trace) -> No action taken.
C:\Windows\01011201014650115.xxe (KoobFace.Trace) -> No action taken.
C:\Windows\bk23567.dat (KoobFace.Trace) -> No action taken.
C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> No action taken.
C:\Windows\System32\fio32.dll (Worm.KoobFace) -> No action taken.
C:\Program Files\webserver\webserver.exe (Worm.KoobFace) -> No action taken.
C:\Program Files\captcha.dll (Spyware.OnlineGames) -> No action taken.
C:\Windows\freddy82.exe (Worm.KoobFace) -> No action taken.
C:\Windows\pp14.exe (Worm.KoobFace) -> No action taken.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:13 PM

Posted 07 February 2010 - 11:01 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:13 PM

Posted 12 February 2010 - 12:06 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users