Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool issues


  • This topic is locked This topic is locked
9 replies to this topic

#1 scarlettcherry

scarlettcherry

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 25 February 2010 - 10:45 AM

Having gone through most of the preparation for posting, I am unable to get my gmer log, my pc crashes before it completes. I have the other two though, can anyone help?

All my problems seemed to start with a bad download that ended with me being stuck with a mywebsearch tool bar and ever since then it seems as though my pc has been compromised. Then I switch my pc on and find out Security tool has installed itself.

This is the DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Emily at 14:27:09.15 on 23/02/2010
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1015.135 [GMT 0:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Windows\system32\dlbkcoms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\lxcgcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Temp\Hrl.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\ctfmon.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\msb.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Emily\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Emily\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
mStart Page = hxxp://search.myheritage.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: MHURLSearchHook Class: {1c4ab6a5-595f-4e86-b15f-f93cce2bbd48} - c:\program files\celebrity toolbar\tbhelper.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: MHTBPos00 Class: {0c37b053-fd68-456a-82e1-d788ee342e6f} - c:\program files\celebrity toolbar\tbcore3.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Celebrity Toolbar: {fd2fd708-1f6f-4b68-b141-c5778f0c19bb} - c:\program files\celebrity toolbar\tbcore3.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [F5JMWNZTHI] c:\users\emily\appdata\local\temp\Hrl.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RTHDBPL] c:\users\emily\appdata\roaming\systemproc\lsass.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [LXCGCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCGtime.dll,_RunDLLEntry@16
mRun: [lxcgmon.exe] "c:\program files\lexmark 2300 series\lxcgmon.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [14936124] c:\programdata\14936124\14936124.exe
mRun: [CTFMON] c:\windows\temp\_ex-08.exe
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {2DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} - hxxp://www.activeworlds.com/products/ActiveWorldsDownload.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUplden-gb.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
TCP: NameServer = 93.188.164.111,93.188.166.103
TCP: {1C45C8C7-DE23-4790-9F1D-2974C5B923CC} = 93.188.164.111,93.188.166.103
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\emily\appdata\roaming\mozilla\firefox\profiles\rjn6akdr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mpeurope.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm401YYGB&fl=0&ptb=T3l.nC9A16ke396JtkrQGQ&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77ce7b66&searchfor=
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBTEmailConfig.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\emily\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Internal security: No Registry Reference - c:\program files\mozilla firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-11 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-23 207280]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080716.002\IDSvix86.sys [2008-7-21 261680]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-23 112592]
R2 dlbk_device;dlbk_device;c:\windows\system32\dlbkcoms.exe -service --> c:\windows\system32\dlbkcoms.exe -service [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1184912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-7-15 109616]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-11-21 37008]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-10-22 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2008-8-22 255488]
S4 ALaunchService;ALaunch Service;c:\acer\alaunch\ALaunchSvc.exe [2006-12-14 46592]

=============== Created Last 30 ================

2010-02-23 11:19:08 0 d-sh--w- c:\windows\system32\lowsec
2010-02-23 10:53:11 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-23 10:53:10 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-23 10:53:10 880 ----a-w- c:\windows\RegISSImport.xml
2010-02-23 10:53:10 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-23 10:53:10 131 ----a-w- c:\windows\IDB.zip
2010-02-23 10:53:09 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-23 10:53:09 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-23 10:53:09 1152444 ----a-w- c:\windows\UDB.zip
2010-02-23 10:51:12 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-23 10:51:12 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-23 10:51:11 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-02-23 10:49:53 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-23 10:49:53 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-23 10:49:53 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-23 10:49:53 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-23 10:48:59 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-23 10:48:59 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-23 10:48:16 0 d-----w- c:\users\emily\appdata\roaming\PC Tools
2010-02-23 10:48:16 0 d-----w- c:\programdata\PC Tools
2010-02-23 10:48:16 0 d-----w- c:\program files\Spyware Doctor
2010-02-23 10:48:16 0 d-----w- c:\program files\common files\PC Tools
2010-02-23 00:27:11 156672 ----a-w- c:\windows\msb.exe
2010-02-23 00:14:21 0 d-----w- c:\programdata\14936124
2010-02-23 00:03:37 151552 ----a-w- C:\autoexec.exe
2010-02-22 14:41:47 135168 ----a-w- C:\Usee.exe
2010-02-22 08:23:10 9 ----a-w- C:\confin.sys
2010-02-22 08:22:41 0 d-sh--w- c:\users\emily\appdata\roaming\SystemProc
2010-02-11 11:20:53 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-11 08:54:41 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-11 08:53:04 0 dc-h--w- c:\programdata\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-11 08:51:37 0 d-----w- c:\programdata\Lavasoft
2010-02-11 08:51:37 0 d-----w- c:\program files\Lavasoft
2010-02-10 15:48:16 21504 ----a-w- c:\windows\system32\fxer.slo
2010-02-09 22:35:01 25088 ----a-w- c:\windows\system32\stu2.exe
2010-02-07 15:56:50 138752 ----a-w- c:\windows\msa.exe
2010-02-05 17:52:02 1500 ----a-w- c:\users\emily\.recently-used.xbel
2010-02-05 00:17:24 0 d-----w- c:\program files\iPod
2010-02-02 00:50:52 0 d-----w- c:\program files\Celebrity Toolbar
2010-01-26 15:17:27 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2010-01-14 11:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-03 16:56:00 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-27 13:32:41 86016 ----a-w- c:\windows\inf\infstor.dat
2009-10-27 13:32:41 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-27 13:32:40 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-06-26 11:41:41 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-05-27 20:32:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-09 19:17:35 32768 --sha-w- c:\windows\temp\cookies\index.dat
2009-05-09 19:17:35 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-05-09 19:17:35 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 14:31:01.38 =================

I was going to use hijackthis to get rid of the bad files but wasn't sure which ones were bad.

Thanks.

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 07/06/2007 15:51:41
System Uptime: 23/02/2010 13:51:42 (1 hours ago)

Motherboard: Acer | | FI946GZ
Processor: Intel® Core™2 CPU 4400 @ 2.00GHz | Socket 775 | 2000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 146 GiB total, 15.006 GiB free.
D: is FIXED (NTFS) - 145 GiB total, 144.966 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is FIXED (FAT32) - 112 GiB total, 25.375 GiB free.
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0003
Manufacturer: Microsoft
Name: isatap.{034A00D0-D30D-4943-9C11-C0FEAD36D4A5}
PNP Device ID: ROOT\*ISATAP\0003
Service: tunnel

==== System Restore Points ===================


==== Installed Programs ======================

Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.1.0
Adobe Shockwave Player 11.5
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ares 2.0.9
Ares Vista 4.0.3.9083
Atlantis Word Processor
AV
Bonjour
Browser Defender 2.0.6.11
BT Broadband Desktop Help
BT Broadband Support Tools
BT Wireless Connection Manager
BT Yahoo! Applications
BTHomeHub
ccCommon
Celebrity Toolbar
Compatibility Pack for the 2007 Office system
Coupon Printer
CSI-Hard Evidence
Dell AIO Printer A920
DVD Decrypter (Remove Only)
EA Download Manager
Full Tilt Poker
GIMP 2.6.7
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist Corporate
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Graphics Media Accelerator Driver
iTunes
Java™ 6 Update 15
Java™ 6 Update 6
Java™ 6 Update 7
Junk Mail filter update
Lexmark 2300 Series
LightScribe 1.4.124.1
LiveUpdate Notice (Symantec Corporation)
Loki ActiveX Control
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Small Business Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Microsoft WSE 3.0 Runtime
MobileMe Control Panel
Mozilla Firefox (3.5.8)
MSRedist
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Nucleus Kernel Word Demo ver 4.03
OpenMG Limited Patch 4.0-04-11-28-01
OpenMG Secure Module 4.0.05
OpenOffice.org Installer 1.0
Project64 1.6
QuickTime
QuickTime 3.0
Ralink Wireless LAN Card
RealPlayer
Realtek High Definition Audio Driver
Safari
SonicStage
SPBBC 32bit
Spotify
Spyware Doctor 7.0
Symantec Real Time Storage Protection Component
SymNet
The Sims™ 3
VideoLAN VLC media player 0.8.6i
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
WinZip 12.0
Yahoo! Toolbar
==== End Of File ===========================

Edited by Maurice Naggar, 27 February 2010 - 05:42 PM.


BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 AM

Posted 27 February 2010 - 05:32 PM

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for member scarlettcherry only. If you are a casual viewer, do NOT try this on your system!
If you are not scarlettcherry and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 2
Show all files:
  • Click the Start button, and then click Computer.
  • On the Organize menu, click Folder and Search Options.
  • Click the View tab.
  • Locate and uncheck Hide file extensions for known file types.
  • Locate and uncheck Hide protected operating system files (Recommended).
  • Locate and click Show hidden files and folders.
  • Click Apply > OK.
Step 3
Now, disable the real-time monitor of Norton Internet Security -- but not the firewall
See How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • RIGHT-click on avenger.exe and select Run As Administrator to start The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    CODE
    Files to delete:
    C:\Windows\msb.exe
    c:\windows\msa.exe
    c:\windows\system32\sdra64.exe
    c:\users\emily\appdata\local\temp\Hrl.exe
    c:\programdata\14936124\14936124.exe
    c:\windows\temp\_ex-08.exe
    C:\autoexec.exe

    Folders to delete:
    c:\windows\system32\lowsec
    c:\programdata\14936124
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
  • In the avenger window, click the Paste Script from Clipboard icon, button.
  • Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Step 4
Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
Step 5
Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click Yes.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  • Save it where you can easily find it, such as your desktop.
Step 6
Now, re-enable Norton Internet Security.

Start a new DDS run (as you did before). I'd like a fresh report.

Reply with copy of C:\Avenger.txt
GMER log
DDS.txt

Edited by Maurice Naggar, 27 February 2010 - 05:39 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 scarlettcherry

scarlettcherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 28 February 2010 - 01:52 PM

Hello,

Thank you very much for your reply. Since my post, my computer pretty much died completely. It suddenly logged itself off as if about to restart, then was never able to boot up again. Just kept trying to restart with no success. Unfortunately my monitor will not allow me to go into safe mode.

However, I reinstalled Vista in order to have some sort of functioning computer again and this seems to have worked, Security Tool hasn't reared its ugly head again yet, although I am worried that it may still be lurking, what do you suggest?

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 AM

Posted 28 February 2010 - 03:01 PM

Did you do a fresh (new) install? or repair install?
Hopefully you did a new install. and then immediately installed an up-to-date antivirus program.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 scarlettcherry

scarlettcherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 28 February 2010 - 04:49 PM

Yes, I did a new install and downloaded AVG. The new install backed up all my old files to C:/windows.old/ should I be careful of this folder? Can I just take my personal documents (pictures, word files etc) out of it and delete everything else? My only concern is that the old files will retain an infection. Thank you for your prompt response.

#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 AM

Posted 28 February 2010 - 06:48 PM

It appears you did a repair install instead of a "wipe" over and new install.
You can (and should )scan your old files/documents with your antivirus before opening or using them.
and do not go deleting stuff.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 scarlettcherry

scarlettcherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 02 March 2010 - 06:03 AM

Ok. I am running a scan now, will post the results of the virus scan. So far there are a lot of "trojan fake" files.

#8 scarlettcherry

scarlettcherry
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 02 March 2010 - 06:33 AM

This is what it came back with, is this all the Security Tool stuff?

Attached Files


Edited by scarlettcherry, 02 March 2010 - 06:50 AM.


#9 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 AM

Posted 03 March 2010 - 10:32 PM

The log shows that the items listed were place in quarantine.
Your intent was whether the rogue Security Tool is all gone. I honestly cannot tell.
That's why I suggest you run a few tools.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member scarlettcherry only. If you are a casual viewer, do NOT try this on your system!
If you are not scarlettcherry and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Given that this is a Vista system, on most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.

Step 1
Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4

    [list]
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

Step 2
Please download & save Malwarebytes Anti-Malware from
http://www.download.com/Malwarebytes-Anti-..._4-10804572.htm or
http://www.besttechie.net/tools/mbam-setup.exe or
http://malwarebytes.gt500.org/mbam.jsp

Right-Click on mbam-setup.exe and select Run as Administrator to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Step 3
If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Right- click on Combo-Fix.exe on your Desktop and select "Run as Administrator".
  • A window may open with a warning. Type "1" (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.

A file will be created at => C:\Combofix.txt.
Note:
Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

Reply with a copy of the MBAM log, and the C:\Combofix.txt log

Edited by Maurice Naggar, 03 March 2010 - 10:34 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:28 AM

Posted 10 March 2010 - 09:46 PM

This topic is closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users