Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated Malware infections, Trouble removing Vista Guardian


  • This topic is locked This topic is locked
67 replies to this topic

#1 Mom2four

Mom2four

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 07 March 2010 - 11:41 AM

Hi, new to the forums but not to the site. I used Malwarebytes tool few weeks ago to remove another windows security clone malware and a bunch of trojans that paraded past Norton without being detected. Malwarebytes helped clear up most of those problems but there are something still lurking because when you would conduct a simple web search and click on the link you wanted, you would be directed to another site.

That is the least of the problems now because I can't remove this Vista Guardian or get on the internet. I ran Malwarebytes full scan but it found nothing. I tried the fixreg then the Malware still nothing. I am using my mac laptop and flashdrives to attempt to re install Malware but not successfully. I did run the Defogger and the DDs. Here are the logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run by John Cornelisen at 10:07:13.88 on Sun 03/07/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.5.0_12
MicrosoftĂ Windows Vista˘ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1139 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.exe
C:\Users\John Cornelisen\AppData\Local\av.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\msfeedssync.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
L:\dds-1.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uStart Page = hxxp://m.www.yahoo.com/
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Protection Bar: {0d045baa-4bd3-4c94-be8b-21536bd6bd9f} - c:\program files\video activex object\iesplugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\fortem~1.lnk - c:\program files\lg soft india\fortemanager\bin\Monitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\natura~1.lnk - c:\program files\sec\natural color\NaturalColorLoad.exe
uPolicies-system: NoDispBackgroundPage =
uPolicies-system: NoDispSettingsPage =
uPolicies-system: NoDispAppearancePage =
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~3.0_0\bin\ssv.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - {EBD24BD3-E272-4FA3-A8BA-C5D709757CAB} - c:\program files\playsushi\PSText.dll
Trusted Zone: intuit.com\ttlc
DPF: {00140000-B1BA-11CE-ABC6-F5B2E79D9E3F} - file:///E:/LTOCX14N.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://couponmountain.coupons.smartsource.com/download/cscmv5X.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169043882265
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://www.mybizportal.net/dana-cached/setup/JuniperSetupSP1.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.8.0.41\CoIEPlg.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-2 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-2 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-2 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100224.002\IDSvix86.sys [2010-2-25 343088]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\memeo\autobackup\MemeoBackgroundService.exe [2008-11-7 25824]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-9 102448]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-4-11 5504]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0308000.029\symndisv.sys [2010-2-2 48688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-22 135664]
S3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2009-11-29 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2009-11-29 18432]
S3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\drivers\OlyUsbCam.sys [2007-1-12 21952]
S3 SNL320XP;SONIX MULTIMEDIA USB DEVICE DRIVER;c:\windows\system32\drivers\9kdUSBXP.sys [2006-12-28 16000]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2010-03-07 15:56:08 0 ----a-w- c:\users\john cornelisen\defogger_reenable
2010-03-07 14:25:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-07 14:25:57 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-07 14:25:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-07 13:59:42 0 d-----r- c:\program files\Norton Support
2010-03-05 03:56:12 0 d-----w- c:\users\johnco~1\appdata\roaming\DriverCure
2010-03-05 03:55:58 0 d-----w- c:\programdata\ParetoLogic
2010-03-05 03:55:58 0 d-----w- c:\programdata\DriverCure
2010-02-23 22:35:53 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-23 22:34:37 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-23 22:34:37 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-23 22:34:37 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-23 22:34:37 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-23 22:34:37 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-23 22:34:37 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-23 22:34:35 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-23 22:34:35 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-23 22:34:35 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-13 20:46:21 0 d-----w- c:\program files\common files\Scanner
2010-02-13 20:46:18 0 d-----w- c:\program files\CA Yahoo! Anti-Spy
2010-02-11 22:15:03 0 d-----w- c:\programdata\Office Genuine Advantage
2010-02-10 21:01:27 3597912 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 21:01:27 3546200 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 21:01:21 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 21:01:21 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 21:01:00 897624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 21:00:44 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 21:00:43 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 21:00:43 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 21:00:43 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 21:00:43 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 21:00:43 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 21:00:42 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 21:00:42 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-02-10 21:00:42 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 21:00:41 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-10 21:00:32 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 21:00:32 105472 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-06 02:14:20 0 d-----w- c:\users\johnco~1\appdata\roaming\E-centives
2010-02-06 00:03:49 0 d-----w- c:\users\johnco~1\appdata\roaming\Malwarebytes
2010-02-06 00:03:41 0 d-----w- c:\programdata\Malwarebytes
2010-02-05 22:54:19 0 d-----w- c:\program files\Panda Security

==================== Find3M ====================

2010-02-22 02:31:12 86016 ----a-w- c:\windows\inf\infstor.dat
2010-02-22 02:31:12 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-22 02:31:12 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-27 19:32:59 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-27 19:32:59 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-27 19:32:59 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-27 19:32:50 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2010-01-27 19:32:49 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-27 19:32:27 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-30 03:03:36 174 --sha-w- c:\program files\desktop.ini
2009-11-30 02:50:24 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-01-05 20:20:59 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
2006-11-02 12:34:36 397312 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16386_none_ef216b8c52ca2227\WinMail.exe

============= FINISH: 10:08:46.56 ===============

Just to add a few more tidbits of info. I attempted to run the GMFR but it wouldn't finish the scan and resulted in a shut down and reboot. Now it won't complete the scan at all and then Windows locks up. I will try to reload it onto a new flash drive and see if that is successful.

My husband wants to wipe the computer and start all new, but I am not convinced that will result in more problems. We have a Dell D95QHBC1, 32 bit system running Vista. Any help you could offer would be excellent. I know you are very busy and this is a repeatedly posted problem but please help.

Many thanks in advance
~L~

Attached Files


Edited by Mom2four, 07 March 2010 - 01:16 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 09 March 2010 - 08:26 PM

Hello Mom2four smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I would like to get the GMER log if at all possible. Try disabling Windows Defender, instructions HERE. Also make sure your Antivirus is disabled.

If that want work uncheck the following and try again.
  • Registry
  • Files


If that won't work you can give it a try in Safe Mode. If none of it works we will go without it.







Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 March 2010 - 10:12 PM

Hi and thank you,

I attempted to run the GMER but it would not complete the scan. I attempted to repeat it and blue screen of death appeared. Attempted in Safe Mode but still won't complete the scan with or without the Registry and Files selected. huh.gif

As of last night I was able to manually remove the AV.exe nastiness that was Vista Guardian but I am concerned that there is something else lurking in the shadows. And whatever that is allows my computer to keep picking up these rogue programs. busy.gif

I was able to locate the file name using Pre.vx and did some internet searching to know where to look for it in the Registry. Did the Regedit and deleted the file.

Still not convinced I am safe however, sad.gif so if we can proceed with checking the rest of the system and clean it up I would be very grateful.

Thanks
Lesley thumbup.gif

#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 09 March 2010 - 11:03 PM

OK, let's see if we can get ComboFix to run:


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.


When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 March 2010 - 11:29 PM

ComboFix appears stuck. States.. Please wait, Combo Fix preparing to run. blinking prompt


how long may it take?

Thanks
~L~

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 09 March 2010 - 11:46 PM

Give it a bit, it's best not to interrupt it. How long has it been doing that?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 09 March 2010 - 11:48 PM

At least 15 min. I had Prevx still enabled, so I disabled it while the combo kept blinking. I hope that was okay.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 10 March 2010 - 12:01 AM

It's OK now that you have done it. Sometimes doing other things while CF is running can cause problems.

Is your Symantec and Windows Defender both disabled?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 March 2010 - 12:05 AM

Yes they are! thumbup.gif

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 10 March 2010 - 12:08 AM

Sometimes Symantec can cause issues even when it is disabled. We may have to go a different route. If it doesn't look like CF is going to do anything try to stop it and let me know then we'll try something different.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 March 2010 - 12:16 AM

We do appear to have a failure to cooperate. So what something different would you like me to try.

And added observation, there are two Window Update icons appearing in the bar at the bottom of the screen. One will remain if I scroll over it, the other disappears. When I had the Security "something" rogue a few weeks back it would put up multiple WU icons.

Edited by Mom2four, 10 March 2010 - 12:19 AM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 10 March 2010 - 12:25 AM

I seem to recall running into that a month or so back. That infection was a little aggravating to get rid of too I believe.

Let's try this ESET scan. It's an online scan that will also remove entries it finds.

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 March 2010 - 07:49 AM

C:\Program Files\PlaySushi\PSText.dll a variant of Win32/Adware.Gamevance.AG application cleaned by deleting - quarantined
C:\Program Files\PlaySushi\psuninst.exe a variant of Win32/Adware.Gamevance.AE application cleaned by deleting - quarantined
C:\Users\John Cornelisen\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\693a9520-73497f7b multiple threats deleted - quarantined

Here is the list of the scan results.



#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:02:09 PM

Posted 10 March 2010 - 11:42 AM

Alright let's open your MalwareBytes do an update and then perform a Quick Scan.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 Mom2four

Mom2four
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:09 PM

Posted 10 March 2010 - 06:52 PM

Malwarebytes' Anti-Malware 1.44
Database version: 3850
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

3/10/2010 5:51:51 PM
mbam-log-2010-03-10 (17-51-30).txt

Scan type: Quick Scan
Objects scanned: 167640
Time elapsed: 27 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\4dw4r3 (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users