Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! I am infected and do not know what to do!


  • This topic is locked This topic is locked
16 replies to this topic

#1 cherp

cherp

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 03:49 AM

Hi! I'm Cherp and new to the site. I've never done anything like this before and am at a loss for what to do.

The computer that is infected with something, is not the one I am using currently. This is my old computer.

First, I was having problems about 3 weeks ago with Maleware. I found this site and followed the directions to remove 'antivirus-plus' that seemed to be taking over my computer. I followed the directions and installed 'rkill' and ran it. I then installed Malwarebyte' Anti-Malware and ran that. It found what was wrong and my computer ran like a charm. However, every once in a while when I've been on the internet, I've been redirected to advertisements. They are for a variety of things and not necessarily 'sleezy'. However, tonight (or late last night now), something took over my computer and infected files like: rundill32.exe, win32 files, ytbb.exe, au.exe, wmiprvse.exe....... these seem to be any .exe files of programs I was trying to use. After each "security warning" and telling me what file was infected, the box asked me "Do you want to activate your antivirus software now?" When I would say yes, it directed me to "Antivirus Soft" to both scan my computer and purchase. However, when I went to purchase, I was redirected to porn sites. When this started happening, I disconnected the Internet part so nothing else could enter my computer. I even tried to scan with my "Avast Antivirus" and got a message saying that the download was "broken"

At one point (before it got really bad) the computer shutdown and restarted on it's own saying something about the operating system had an error and was redirected to shutdown.

What should I do? Should I turn off my computer? I'm afraid to turn it off or leave it on.

Please help.
Cherp

BC AdBot (Login to Remove)

 


#2 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 12:22 PM

Hi. I'm posting again. I think I may have put my original post in the wrong place. As I said, I've never done this before.

Last night, I did find the Spyware Doctor on this site. I downloaded it to my stick drive and then tried to put it on the 'sick' computer. It loaded. However, I cannot open it to run. I get the message:
Security Warning
Application cannot be executed. The file pctsgui.exe is infected. Do you want to activate your antivirus software now?

I already use AVAST and it is current with updated tables.

After reading some of the other posts, I may have some of the same problems that are under other topics. That's why I feel I should not have started a new topic, but instead posted under the maleware, hijacked category.

I also want to let you know, I cannot open any programs on the computer having the problem. I cannot run anything. Every .exe file seems to be affected. I disconnected from the Internet and cannot reconnect becuse I get a message from:
Security Warning
Application cannot be executed. The file ytbb.exe is infected. Do you want to activate your antivirus sofware now?

When I had said yes, I was redirected to Antivirus Soft to purchase; however, when I went to the page there was a file error 404 ??? I think. Now that I am not connected to the Internet, another error comes up: (when I try to get on the Internet, the Internet Explorer cannot display the webpage comes up... when I try to diagnose connection problems, the next screen briefly flashes up and disappears before the Security Warning box appears.)

Security Warning
Application cannot be executed. The file xpnetdiag.exe is infected. do you want to activate your antivirus software now?

I think I'm having a major problem. I'm hoping not to loose this computer as all the sofware will be gone.

Can someone please help? I'm afraid to turn off the computer for fear I'll not get it back on again.

Thank you.
Cherp

#3 Saga Lout

Saga Lout

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newport Pagnell, England
  • Local time:07:08 AM

Posted 02 February 2010 - 12:34 PM

Can someone please help? I'm afraid to turn off the computer for fear I'll not get it back on again.

Thank you.
Cherp



I think it will help whoever comes along to deal with your problem if you can see if it's possible to use the computer normally in Safe Mode. Restart and tap Function 8 as the system starts to load then select Safe Mode from the Advanced Boot menu. Log in as Administrator and if that behaves properly with no pop ups, post back for advice on how to proceed.

Saga Lout {n} growing old and becoming a little unruly.

#4 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 12:58 PM

Thank you. I'm rebooting now.

#5 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 01:06 PM

It rebooted normally. I missed the F8 button. It didn't even go into the option of Safemode which it did last night when the system automatically ended and rebooted.

I'm going to check out to see if I can access any progams.
cherp

#6 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 01:11 PM

Yes... I can access progams and the Internet.
Should I try to connect and run the virus protection programs and maybe malware?
cherp

#7 Saga Lout

Saga Lout

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newport Pagnell, England
  • Local time:07:08 AM

Posted 02 February 2010 - 02:13 PM

Yes... I can access progams and the Internet.
Should I try to connect and run the virus protection programs and maybe malware?
cherp



So long as your AV and malware trackers are fully up to date, it might be safer to run them offline for the time being. Also, please check that your Firewall hasn't been disabled.

Saga Lout {n} growing old and becoming a little unruly.

#8 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 05:10 PM

Thank you for your post. I'm going through the procedures for removing maleware. My firewall is in place and I was finally able to run Malwarebytes' Anti-Malware. There were 7 trojan virues that were deleted.

I'm going to try to run spyware doctor now. I'm also learning how to make the logs from the directions; however, I'm going to run they Spy Doctor first.

I'll post the results later tonight. Everything takes so long to do.

Thank you to everyone for your help.

cherp

#9 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 05:12 PM

Sorry... I forgot to say.... everything is not running smoothly... I've lost my desktop. Haven't been in too much more to notice.

cherp

#10 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 05:12 PM

Sorry... I forgot to say.... everything is not running smoothly... I've lost my desktop. Haven't been in too much more to notice.

cherp

#11 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 11:30 PM

Okay.... hello bleeping computer community. I had to go to work. When I got back the computer was still on (I'm using it), however, I was not able to run Spyware Doctor. There was a sychost.exe-Application error: instruction at 0x10010c88 referred memory at 0x05f3e000 memory could not be read. So Spyware wasn't run.

However, I have been able to now go through the process in the Preparation Guide for posting about the potential Maleware problem. I am on step 8 where we are suppose to now create a new malware removal topic and post the DDS logs and the RootReapeal log.

Am I suppose to post a new topic? I'm not sure if that would be a good idea. Also, I don't really know the name of anything that is wrong on my computer. I did remove 7 Trojan Viruses today, before I started this process as posted earlier. i do have a log of that also.

I'm going to post the logs here. (in a separate response directly after this message) If they need to be moved later, perhapse someone will be able to direct me where to post them and under what heading.

I just want to say that I am thankful to have found this site back in the beginning of January when all this mess started. I look forward to hearing from the good people on bleeping computer.com.

Best regards,
cherp

#12 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 02 February 2010 - 11:48 PM

DDS Textfile from 2/2/2010


DDS (Ver_09-12-01.01) - NTFSx86
Run by HP_Administrator at 21:27:01.53 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.160 [GMT -6:00]

AV: avast! antivirus 4.8.1368 [VPS 100202-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\gqjqnc\pufvsftav.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\lotus\organize\easyclip.exe
C:\lotus\register\remind32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mStart Page = hxxp://search.myheritage.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\family toolbar\tbhelper.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\family toolbar\tbcore3.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn4\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Family Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\family toolbar\tbcore3.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Reminder] "c:\windows\creator\Remind_XP.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Family Tree Builder Update] c:\program files\myheritage\bin\FTBCheckUpdates.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [wjydllpk] c:\windows\system32\config\systemprofile\local settings\application data\gqjqnc\pufvsftav.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [notepad] rundll32.exe c:\windows\system32\config\system~1\ntload.dll,_IWMPEvents@0
dRun: [wjydllpk] c:\windows\system32\config\systemprofile\local settings\application data\gqjqnc\pufvsftav.exe
StartupFolder: c:\docume~1\hp_adm~1\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\register\remind32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lotuso~1.lnk - c:\lotus\organize\easyclip.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Turbo%20Subs/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download.games.yahoo.com/games/web_games/playtime/mahjongescape/PTGameLauncher.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 89.149.210.26 www.google.no
Hosts: 89.149.210.26 www.google.nl
Hosts: 89.149.210.26 www.google.com
Hosts: 89.149.210.26 www.google.se
Hosts: 89.149.210.26 uk.search.yahoo.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\pdlxq43v.default\
FF - prefs.js: browser.search.defaulturl - hxxp://fruttisearch.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://search.myheritage.com/
FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=
FF - prefs.js: keyword.enabled - true
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-2 207792]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-2 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-2 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2005-9-5 138680]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-2 359624]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2005-9-5 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2005-9-5 352920]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2005-7-25 348352]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2005-7-25 43392]

=============== Created Last 30 ================

2010-02-02 08:55:42 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-02 08:55:41 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-02 08:55:38 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-02 08:55:38 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-02 08:55:38 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-02 08:55:38 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-02 08:55:27 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-02 08:55:26 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-02 08:55:12 0 d-----w- c:\program files\common files\PC Tools
2010-02-02 08:55:11 0 d-----w- c:\program files\Spyware Doctor
2010-02-02 08:55:11 0 d-----w- c:\docume~1\hp_adm~1\applic~1\PC Tools
2010-02-02 08:55:11 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-02 07:57:29 0 d-----w- C:\Cache
2010-02-01 17:21:26 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-27 04:30:13 0 d-----w- C:\Fonts 2
2010-01-20 04:14:53 0 d-----w- C:\.jagex_cache_32
2010-01-16 04:41:22 69 ----a-w- c:\documents and settings\hp_administrator\jagex_runescape_preferences2.dat
2010-01-15 02:48:54 455 ----a-w- c:\windows\MyHeritage.INI
2010-01-15 02:47:08 0 d-----w- c:\docume~1\hp_adm~1\applic~1\MyHeritage
2010-01-15 02:47:08 0 d-----w- c:\docume~1\alluse~1\applic~1\MyHeritage
2010-01-15 02:46:40 0 d-----w- c:\program files\Family Toolbar
2010-01-15 02:46:37 454656 ----a-w- c:\windows\system32\PaintX.dll
2010-01-15 02:46:36 372736 ----a-w- c:\windows\system32\ijl15.dll
2010-01-15 02:46:36 137000 ----a-w- c:\windows\system32\msmapi32.ocx
2010-01-15 02:46:35 0 d-----w- c:\docume~1\hp_adm~1\applic~1\The Complete Genealogy Reporter - FTB
2010-01-15 02:45:27 0 d-----w- c:\program files\MyHeritage
2010-01-14 21:32:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-14 21:32:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-14 05:22:38 0 d-----w- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2010-01-14 05:22:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-14 05:22:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-02-02 07:03:44 39 ----a-w- c:\documents and settings\hp_administrator\jagex_runescape_preferences.dat
2010-02-02 03:23:28 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-28 06:13:35 139808 ----a-w- c:\windows\fonts\AdobeFnt07.lst
2010-01-27 06:00:07 79376 ----a-w- c:\windows\fonts\Callistroke.ttf
2010-01-27 05:59:18 59840 ----a-w- c:\windows\fonts\FONTL___.TTF
2010-01-27 05:59:18 27924 ----a-w- c:\windows\fonts\Heala___.ttf
2010-01-27 05:58:13 61563 ----a-w- c:\windows\fonts\PENHURSS.TTF
2010-01-27 05:58:13 35651 ----a-w- c:\windows\fonts\PENSHURS.TTF
2010-01-27 05:58:13 33663 ----a-w- c:\windows\fonts\PENHURSB.TTF
2010-01-27 05:53:23 45872 ----a-w- c:\windows\fonts\Vector.ttf
2010-01-27 05:52:42 90064 ----a-w- c:\windows\fonts\Blacksmith Delight Outlined.ttf
2010-01-27 05:52:42 53540 ----a-w- c:\windows\fonts\Blacksmith Delight SemiWide.ttf
2010-01-27 05:52:42 52968 ----a-w- c:\windows\fonts\Blacksmith Delight Mirrored.ttf
2010-01-27 05:52:42 51640 ----a-w- c:\windows\fonts\Blacksmith Delight.ttf
2010-01-27 05:52:41 53460 ----a-w- c:\windows\fonts\Blacksmith Delight Lefty.ttf
2010-01-27 05:52:29 81664 ----a-w- c:\windows\fonts\DUBIELIT.TTF
2010-01-27 05:51:34 170046 ----a-w- c:\windows\fonts\ARBOF___.TTF
2010-01-27 05:51:18 77136 ----a-w- c:\windows\fonts\AnnabelAntiqueScript.ttf
2010-01-27 05:51:01 53404 ----a-w- c:\windows\fonts\Ayuma2yk.ttf
2010-01-27 05:50:31 33716 ----a-w- c:\windows\fonts\SF Foxboro Script Extended Bold Italic.ttf
2010-01-27 05:50:31 33692 ----a-w- c:\windows\fonts\SF Foxboro Script Extended Italic.ttf
2010-01-27 05:50:31 33560 ----a-w- c:\windows\fonts\SF Foxboro Script Extended Bold.ttf
2010-01-27 05:50:31 33384 ----a-w- c:\windows\fonts\SF Foxboro Script Extended.ttf
2010-01-27 05:50:31 33236 ----a-w- c:\windows\fonts\SF Foxboro Script Bold.ttf
2010-01-27 05:50:31 33172 ----a-w- c:\windows\fonts\SF Foxboro Script Italic.ttf
2010-01-27 05:50:31 33144 ----a-w- c:\windows\fonts\SF Foxboro Script Bold Italic.ttf
2010-01-27 05:50:31 33060 ----a-w- c:\windows\fonts\SF Foxboro Script.ttf
2010-01-27 05:47:57 47264 ----a-w- c:\windows\fonts\ActionIs.ttf
2010-01-27 05:47:57 36556 ----a-w- c:\windows\fonts\ActionIsWide&DiagonalJLExpandedItalic.ttf
2010-01-27 05:47:57 36408 ----a-w- c:\windows\fonts\ActionIsDiagonalJLItalic.ttf
2010-01-27 05:47:57 36368 ----a-w- c:\windows\fonts\ActionIsWiderJL.ttf
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2008-07-18 05:33:22 0 -c--a-w- c:\program files\temp01

============= FINISH: 21:29:20.18 ===============




ROOT REPEAL 2/2/2010



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/02 21:38
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xABF33000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\Yahoo! Games\Scrabble\GHScrabble.exe:{A2E76534-BE03-62CE-F3A6-27E66D69AF03}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\SCRABBLE Plus\SCRABBLE PLUS.exe:{AFC1F247-A840-E694-F5D5-857325CFB5D7}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Slingo Mystery - Who's Gold\SlingoMystery.exe:{93B43625-21DE-1339-C4EF-4BC65DAE9DC1}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\Yahoo! Games\Turbo Subs\TurboSubs.exe:{64351A3F-FCAC-1B08-D989-2A310292D8C3}
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\hp_administrator\local settings\temp\~dfe2c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~dfbbab.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~dfcbbf.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab6b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55aba52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab14c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab08c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab0f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab72e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb55ab8ae

==EOF==

ATTACH List in separate link... no place to attach here.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 AM

Posted 02 February 2010 - 11:59 PM

Hello, you cannot attach because you are posting the logs in the wrong forum.

Go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 cherp

cherp
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 03 February 2010 - 12:06 AM

Hi Boopme... thank you for responding so quickly.

Yes... I went to the Hijack forum and posted the uploads both for the Attach and Ark. Whew!! What a learning experience today. I'm just not sure how to attach all the previous to the new ones. However, I can't worry about it tonight as I was up almost all of last night searching what to do to begin with. I'm going to have to call it a night. As Scarlett says, "Tomorrow is another day."

Okay... thank you again for responding so quickly. I'll be on for a few more minutes before I log off if there is anything else I should do.

Best regards,
cherp

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:08 AM

Posted 03 February 2010 - 12:22 AM

You're welcome and don't worry about adding anything as they will ask you ffor what they need. They will help you do it . The downside is we a re very busy in HJT right now . It will a be a few days most likely before you get a reply. But you will get it,ALL logs are replied to.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users