Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine ads when clicking links


  • This topic is locked This topic is locked
8 replies to this topic

#1 Fireheart88

Fireheart88

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 March 2010 - 04:37 PM

Hello there. I've recently dusted off an old laptop with Windows XP for browsing purposes. I've been trying to clean it up as good as possible, removing old applications and trying to run various scans for malware and viruses as well as trying to download the latest Windows Updates. I've run scans with Avast! and CCleaner, as well as Malwarebytes' Anti-Malware. That pretty much got most of the infections it had, the only thing I haven't been able to clear is an annoying "virus/malware" that redirects me to ads every time I try to click a search engine link (Yahoo.com, Google.com, MSN.com). I've tried switching browsers, as I'm not very fond of IE anyways, I've tried using Google Chrome and Firefox, with no improvement. I'm wondering if someone can help me get rid of this thing.

I've followed the preparation guide, here are my results:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Damaris at 13:18:58.76 on Wed 03/17/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.61 [GMT -7:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Damaris\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
{d3f669eb-57ce-4f45-8fbd-e245cbb46366}
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Fmawubalikoq] rundll32.exe "c:\windows\asasetube.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter\Gcc.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: RMfnldOuK - {B4BDA73D-1E17-0D97-219F-AA0AA3F4D670} - No File
LSA: Notification Packages = scecli nesvcmsr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\damaris\applic~1\mozilla\firefox\profiles\j0akk29c.default\
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {61F70A50-C525-49F8-AC9D-6417D13BF79F} - c:\documents and settings\damaris\local settings\application data\{61F70A50-C525-49F8-AC9D-6417D13BF79F}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys [2010-3-1 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-3-13 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-3-13 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-13 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-13 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-13 40384]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\hsfhwati.sys [2005-3-31 211200]
S0 3378071728;3378071728;c:\windows\system32\drivers\3378071728.sys --> c:\windows\system32\drivers\3378071728.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-3-1 112592]

=============== Created Last 30 ================

2010-03-17 18:51:20 0 d-----w- c:\docume~1\damaris\applic~1\Malwarebytes
2010-03-17 18:50:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 18:50:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-17 18:50:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:50:42 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 17:58:37 0 d-----w- c:\program files\CCleaner
2010-03-16 12:44:56 0 d-----w- C:\bf9b6d7b78e10cf0e2bfc0b5ac11eae3
2010-03-16 03:17:39 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-14 02:44:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-03-14 02:25:03 848 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-01 17:05:38 0 d-----w- C:\94d326df108ed1f3ca9e1e0671
2010-03-01 16:46:53 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-03-01 16:44:26 0 d-----w- c:\program files\common files\iS3
2010-03-01 16:44:22 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-03-01 16:32:55 120 ----a-w- c:\windows\Rtijodet.dat
2010-03-01 16:32:55 0 ----a-w- c:\windows\Xvitalegetek.bin
2010-03-01 16:29:47 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-01 16:29:45 882 ----a-w- c:\windows\RegSDImport.xml
2010-03-01 16:29:45 880 ----a-w- c:\windows\RegISSImport.xml
2010-03-01 16:29:45 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-01 16:29:45 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-03-01 16:29:45 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-01 16:29:45 131 ----a-w- c:\windows\IDB.zip
2010-03-01 16:29:45 1152444 ----a-w- c:\windows\UDB.zip
2010-03-01 16:29:21 245 ----a-w- c:\windows\tmp439484.bat
2010-03-01 16:26:18 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-03-01 16:26:18 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 16:26:11 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 16:26:11 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-03-01 16:26:11 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-03-01 16:26:11 207280 ----a-w- c:\windows\system32\drivers\pctcore.sys
2010-03-01 16:25:45 0 d-----w- c:\program files\Spyware Doctor
2010-03-01 16:25:45 0 d-----w- c:\program files\common files\PC Tools
2010-02-26 00:00:42 23040 -c--a-w- c:\windows\system32\dllcache\setup.exe
2010-02-26 00:00:42 23040 ----a-w- c:\windows\system32\setup.exe
2010-02-23 18:45:07 0 d-----w- c:\docume~1\damaris\applic~1\McAfee.com
2010-02-22 04:56:33 0 d-----w- c:\program files\common files\DivX Shared
2010-02-22 04:56:29 0 d-----w- c:\program files\DivX
2010-02-22 04:38:57 54156 ---ha-w- c:\windows\QTFont.qfn
2010-02-22 04:38:57 1409 ----a-w- c:\windows\QTFont.for
2010-02-17 23:12:45 0 d-----w- c:\windows\ServicePackFiles
2010-02-17 18:14:40 0 d-----w- c:\windows\system32\CatRoot_bak
2010-02-17 18:11:34 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-17 18:11:34 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-17 18:11:18 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-02-17 18:10:55 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-17 18:10:23 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-17 18:10:14 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-02-17 18:10:14 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-02-17 18:10:13 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-17 18:10:13 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-17 18:10:13 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-02-17 18:10:13 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2010-02-17 18:10:13 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-17 18:10:12 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-02-17 18:09:49 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-02-17 18:08:28 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-17 18:08:26 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2010-02-17 18:07:04 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-17 18:07:01 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-02-17 18:06:55 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-17 18:04:46 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-17 18:03:13 2142720 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-17 18:03:12 2185984 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-17 18:03:11 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-17 18:03:10 2063104 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-17 18:02:56 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-02-17 18:02:29 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-17 18:02:26 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-02-17 18:01:20 1196000 -c----w- c:\windows\system32\dllcache\sysmain.sdb
2010-02-17 18:01:19 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-16 22:49:30 0 d-----w- c:\windows\system32\PreInstall
2010-02-16 22:49:29 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-16 21:47:28 0 d-----w- c:\windows\system32\SoftwareDistribution
2010-02-16 10:58:03 0 d-----w- c:\docume~1\damaris\applic~1\GetRightToGo
2010-02-16 10:42:44 0 d-s---w- c:\documents and settings\damaris\UserData

==================== Find3M ====================

2010-03-14 00:21:57 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-13 23:23:46 1034240 ----a-w- c:\windows\EXPLORER.EXE
2010-03-13 23:23:15 16896 ----a-w- c:\windows\system32\SVCHOST.EXE
2010-03-13 23:23:12 14336 ----a-w- c:\windows\system32\LSASS.EXE
2010-03-13 23:23:11 112640 ----a-w- c:\windows\system32\SERVICES.EXE
2010-03-13 23:23:05 505856 ----a-w- c:\windows\system32\WINLOGON.EXE
2009-12-22 05:42:49 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42:45 81920 ----a-w- c:\windows\system32\ieencode.dll

============= FINISH: 13:19:58.87 ===============

The other two files are attached to this post.

Hope someone can help me. Thanks in advance.

Attached Files


Edited by Orange Blossom, 17 March 2010 - 06:36 PM.
Forum glitch. ~ OB


BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 17 March 2010 - 04:55 PM

Hello Fireheart88,

welcome.gif to Bleeping Computer Virus, Trojan, Spyware, and Malware Removal Logs Forum.


My Nick is Net_Surfer I'll be glad to help you with your computer problems. I will be working on your Malware issues, this may or may not solve other issues you may have with your machine. whistling.gif

Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


Please take note of the following which will make our fix go more smoothly:
    1. The cleaning process is not instant. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. Please continue to review my answers until I tell you your machine is clean. Just because a symptom "disappears" does not mean your system is clean.
    2. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    3. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post. Please set aside enough time to complete all the steps in each post and follow the instructions in the order stated.
    4. If you are running P2P file sharing program(s). My recommendation is you uninstall it/them.
    5. Do NOT run any extra scans or fix programs not requested by me as it could change the results in the reports I request.
    6. If there's anything that you don't understand, stop and ask your question(s) before proceeding with the fixes.
    7. The forum is busy and we need to have replies as soon as possible. After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you have circumstances that you are aware of that will delay your response, then please let me know. This is to ensure that your topic remains open and I don't close it to start a new post.
NOTE: In the upper right hand corner of the topic you will see a button called Options. If you click on this button, a drop-down menu will expand. By choosing Track this topic and then choosing Immediate Email Notification, followed by clicking Proceed, you will be advised when I respond to your topic. This facilitates the cleaning procedure.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.
Please reply using the button in the lower right hand corner of your screen. Do not start a new topic.
If you can do these things, everything should go smoothly. thumbup2.gif


step1.gif We need to run GooredFix
  1. Please download Gooredfix from one of the following mirrors:
    Download Mirror #1
    Download Mirror #2
  2. Ensure all Firefox windows are closed.
  3. Double-click Gooredfix.exe to run it.
  4. When prompted to run the scan, click Yes.
  5. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

step2.gif We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Goored.txt log
  • Log.txt
  • info.txt

After you post the logs back here I will need a bit of time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

In the meantime Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult..

Note that reviewing your log(s) requires an amount of research, so please be patient.

Thanks and again sorry for the delay.

Kind regards
Net_Surfer






#3 Fireheart88

Fireheart88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 March 2010 - 05:19 PM

Hello, Net_Surf. Thanks for the quick reply, I was expecting a few hours before any replies. Anyways, attached to this post are the three logs you asked for. Appreciate it!

Attached Files



#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 17 March 2010 - 06:41 PM

Hello again Fireheart88, busy.gif

Good job!

Gooredfix got rid of some bad extensions from your firefox browser. thumbup2.gif

Please careful follow my next set of steps:


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.

Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

step1.gif **Note: In the event you already have old versions of Combofix I need you to delete them, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • For Internet Explorer:
    o Choose to save, not open the file
    o When prompted - save the file to your desktop, and rename it to CFscan with .exe extension on the end.

Please download Combofix from any of the links below but rename it to CFscan before saving it to your desktop.
Link 1
Link 2

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

step2.gif Please insert your flash drive and all usb-drives before running Combofix
    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
  • Close any open browsers.
    WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
  • Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
-----------------------------------------------------------

step3.gif Double click on the renamed on your desktop & follow the prompts.
If you are unsure how to run ComboFix tool, please visit this webpage for instructions: How-to-use-combofix
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.

    NOTE: If you have Windows XP: Combofix may ask you to install the Recovery Console, please allow it to do so.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
*** When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review.***

A word of advise if you are a lurker: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.


step4.gif * Malwarebytes' Anti-Malware (MBAM)

Because some malware can be easily removed, we recommend Malwarebytes Anti-Malware be run. It's an advanced piece of software which should get a lot of what's on this machine. These guys are so on top of the latest infections it's amazing.

It's important to let me know however, if you experience any trouble getting to the site or updating it or opening it to run. Some rootkits target MBAM and those indicators are the 'tell', if you will. We have another method of double-checking for this rootkit, which if present, will require another special tool.


* MBAM
You already have Malwarebytes' Anti-Malware installed.
  • Open MBAM
  • Go to the updates tab, and click Update to update to the latest version
  • Once the program has updated, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: if you can not run a full system scan then retry with a quick scan.
    * Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
***NOTE: If MBAM will not install, try renaming it this way.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
**If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

MBAM Tutorial if needed

Make sure, you re-enable your security programs, when you're done with Combofix.

Summary of the logs I will need in your next reply:
  • The report log of combofix C:\combofix.text
  • The report log of MBAM
And a description of any remaining problems.

How are things your end Fireheart88 ???.


Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

Kind regards
Net_Surfer



#5 Fireheart88

Fireheart88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 17 March 2010 - 08:19 PM

Hey there. I've finished running both scans, here are the log files.

Also, while I was waiting for a response, my antivirus warned me a few times about Win32: Alureon. I thought you should know, even thought it said the threat was blocked. I'll write down the info, if it pops up again.

So far, so good, done a few searches in Google and no ads so far. Computer booted up fine, even though a few popups for missing dll's appeared when my computer was shutting down and when it came back up, couldn't copy their names because they went away too fast.

ComboFix 10-03-17.06 - Damaris 03/17/2010 17:27:01.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.10 [GMT -7:00]
Running from: c:\documents and settings\Damaris\Desktop\CFscan.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Damaris\Local Settings\Application Data\{8AE302A8-8087-4E86-A720-6DFA650344DD}
c:\documents and settings\Damaris\Local Settings\Application Data\{8AE302A8-8087-4E86-A720-6DFA650344DD}\chrome.manifest
c:\documents and settings\Damaris\Local Settings\Application Data\{8AE302A8-8087-4E86-A720-6DFA650344DD}\chrome\content\_cfg.js
c:\documents and settings\Damaris\Local Settings\Application Data\{8AE302A8-8087-4E86-A720-6DFA650344DD}\chrome\content\overlay.xul
c:\documents and settings\Damaris\Local Settings\Application Data\{8AE302A8-8087-4E86-A720-6DFA650344DD}\install.rdf
c:\recycler\S-1-5-21-4248637238-1128673168-1010321132-1003
c:\windows\asasetube.dll
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-02-18 to 2010-03-18 )))))))))))))))))))))))))))))))
.

2010-03-17 23:57 . 2010-03-17 23:57 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-17 23:57 . 2010-03-17 23:56 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-17 23:54 . 2010-03-18 00:00 95360 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2010-03-17 22:12 . 2010-03-17 22:13 -------- d-----w- c:\program files\trend micro
2010-03-17 22:12 . 2010-03-17 22:14 -------- d-----w- C:\rsit
2010-03-17 18:51 . 2010-03-17 18:51 -------- d-----w- c:\documents and settings\Damaris\Application Data\Malwarebytes
2010-03-17 18:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 18:50 . 2010-03-17 18:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-17 18:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 18:50 . 2010-03-17 18:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 17:58 . 2010-03-17 17:58 -------- d-----w- c:\program files\CCleaner
2010-03-17 17:52 . 2010-03-17 17:52 -------- d-----w- c:\documents and settings\Damaris\Local Settings\Application Data\Mozilla
2010-03-16 12:44 . 2010-03-16 12:45 -------- d-----w- C:\bf9b6d7b78e10cf0e2bfc0b5ac11eae3
2010-03-16 03:25 . 2010-03-17 19:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\shqymp
2010-03-16 03:17 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-14 02:46 . 2010-03-09 11:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-03-14 02:46 . 2010-03-09 11:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-03-14 02:46 . 2010-03-09 11:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-03-14 02:45 . 2010-03-09 11:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-03-14 02:45 . 2010-03-09 11:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-03-14 02:45 . 2010-03-09 11:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-03-14 02:45 . 2010-03-09 11:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-03-14 02:44 . 2010-03-09 11:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-03-14 02:44 . 2010-03-09 11:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-14 02:44 . 2010-03-14 02:44 -------- d-----w- c:\program files\Alwil Software
2010-03-14 02:44 . 2010-03-14 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-03-01 17:10 . 2010-03-01 17:10 -------- d-----w- c:\documents and settings\Damaris\Local Settings\Application Data\Temp
2010-03-01 17:05 . 2010-03-01 17:20 -------- d-----w- C:\94d326df108ed1f3ca9e1e0671
2010-03-01 16:46 . 2010-03-01 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-03-01 16:44 . 2010-03-01 16:44 -------- d-----w- c:\program files\Common Files\iS3
2010-03-01 16:44 . 2010-03-14 04:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-03-01 16:32 . 2010-03-18 00:04 120 ----a-w- c:\windows\Rtijodet.dat
2010-03-01 16:32 . 2010-03-17 19:53 0 ----a-w- c:\windows\Xvitalegetek.bin
2010-03-01 16:32 . 2010-03-01 16:32 -------- d-----w- c:\documents and settings\Damaris\Local Settings\Application Data\{63873CA3-7F89-496E-AA06-A2273C158A5D}
2010-03-01 16:29 . 2009-11-10 18:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-01 16:29 . 2009-11-10 18:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-01 16:29 . 2009-11-10 18:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-01 16:29 . 2009-11-10 18:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-03-01 16:29 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-01 16:29 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2010-03-01 16:29 . 2010-03-01 16:29 245 ----a-w- c:\windows\tmp439484.bat
2010-03-01 16:28 . 2010-03-01 16:28 -------- d-----w- c:\windows\Sun
2010-03-01 16:26 . 2010-02-05 17:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 16:26 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 16:26 . 2009-09-24 00:10 207280 ----a-w- c:\windows\system32\drivers\pctcore.sys
2010-03-01 16:25 . 2010-03-14 02:16 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 16:25 . 2010-03-14 02:04 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 16:25 . 2010-03-18 00:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 03:38 . 2010-02-28 03:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-26 01:01 . 2010-02-26 01:01 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-02-26 00:00 . 2004-08-04 12:00 23040 -c--a-w- c:\windows\system32\dllcache\setup.exe
2010-02-26 00:00 . 2004-08-04 12:00 23040 ----a-w- c:\windows\system32\setup.exe
2010-02-23 18:45 . 2010-02-23 18:45 -------- d-----w- c:\documents and settings\Damaris\Application Data\McAfee.com
2010-02-23 18:30 . 2010-02-23 18:30 70448 ----a-w- c:\documents and settings\Damaris\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-22 20:22 . 2010-02-22 20:22 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-02-22 05:10 . 2010-02-22 05:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-02-22 04:57 . 2010-02-22 04:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-02-22 04:56 . 2010-02-22 04:56 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-02-22 04:56 . 2010-02-22 04:57 -------- d-----w- c:\program files\DivX
2010-02-17 23:12 . 2010-02-17 23:12 -------- d-----w- c:\windows\ServicePackFiles
2010-02-17 22:33 . 2010-02-17 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-17 18:14 . 2010-02-17 18:29 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-02-17 18:11 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-02-17 18:11 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-02-17 18:11 . 2009-12-31 16:14 352640 -c----w- c:\windows\system32\dllcache\srv.sys
2010-02-17 18:10 . 2009-11-21 16:36 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-17 18:10 . 2009-10-15 17:21 82432 -c----w- c:\windows\system32\dllcache\fontsub.dll
2010-02-17 18:10 . 2009-03-06 14:00 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2010-02-17 18:10 . 2005-07-26 04:20 60416 -c----w- c:\windows\system32\dllcache\colbact.dll
2010-02-17 18:10 . 2009-02-09 10:01 617984 -c----w- c:\windows\system32\dllcache\advapi32.dll
2010-02-17 18:10 . 2009-02-09 10:01 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll
2010-02-17 18:10 . 2009-02-09 10:01 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2010-02-17 18:10 . 2009-02-06 09:54 35328 -c----w- c:\windows\system32\dllcache\sc.exe
2010-02-17 18:10 . 2009-02-06 09:41 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2010-02-17 18:10 . 2009-02-09 10:01 715264 -c----w- c:\windows\system32\dllcache\ntdll.dll
2010-02-17 18:09 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2010-02-17 18:08 . 2009-12-04 14:41 453760 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-17 18:07 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2010-02-17 18:07 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2010-02-17 18:06 . 2009-07-10 13:42 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2010-02-17 18:04 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2010-02-17 18:03 . 2009-12-08 18:11 2142720 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-17 18:03 . 2009-12-08 18:14 2185984 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-17 18:03 . 2009-12-08 17:35 2020864 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-17 18:03 . 2009-12-08 17:35 2063104 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-17 18:02 . 2009-06-05 07:42 655872 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-02-17 18:02 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2010-02-17 18:02 . 2009-07-31 04:57 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2010-02-17 18:01 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2010-02-16 22:49 . 2008-07-09 07:38 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2010-02-16 16:56 . 2010-02-16 16:56 -------- d-----w- c:\documents and settings\Damaris\Local Settings\Application Data\PCHealth
2010-02-16 11:12 . 2010-02-16 11:12 -------- d-----w- c:\documents and settings\Damaris\Local Settings\Application Data\Microsoft Help
2010-02-16 11:11 . 2010-02-16 17:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-16 10:58 . 2010-02-16 11:12 -------- d-----w- c:\documents and settings\Damaris\Application Data\GetRightToGo
2010-02-16 10:42 . 2010-02-16 10:42 -------- d-s---w- c:\documents and settings\Damaris\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-17 17:41 . 2005-08-09 22:47 -------- d-----w- c:\program files\Pure Networks
2010-03-15 19:17 . 2005-08-09 22:28 -------- d-----w- c:\program files\Google
2010-03-14 04:53 . 2005-08-09 22:00 -------- d-----w- c:\program files\Toshiba
2010-03-14 04:52 . 2005-08-09 22:45 -------- d-----w- c:\program files\Common Files\aolshare
2010-03-14 04:52 . 2005-08-09 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-03-14 04:52 . 2010-02-10 02:54 -------- d-----w- c:\documents and settings\Damaris\Application Data\AOL
2010-03-14 04:52 . 2005-08-09 22:45 -------- d-----w- c:\program files\Common Files\AOL
2010-03-14 04:52 . 2010-03-01 16:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\AOL
2010-03-14 04:51 . 2005-08-09 22:45 -------- d-----w- c:\program files\America Online 9.0
2010-03-14 04:32 . 2005-08-09 23:13 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com
2010-03-14 04:31 . 2010-03-14 02:25 848 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-03-13 23:23 . 2005-08-09 20:37 1034240 ----a-w- c:\windows\EXPLORER.EXE
2010-03-13 23:23 . 2005-08-09 20:38 16896 ----a-w- c:\windows\system32\SVCHOST.EXE
2010-03-13 23:23 . 2005-08-09 20:38 14336 ----a-w- c:\windows\system32\LSASS.EXE
2010-03-13 23:23 . 2005-08-09 20:38 112640 ----a-w- c:\windows\system32\SERVICES.EXE
2010-03-13 23:23 . 2005-08-09 20:38 505856 ----a-w- c:\windows\system32\WINLOGON.EXE
2010-03-01 16:28 . 2010-03-01 16:28 24 ----a-w- c:\documents and settings\NetworkService\Application Data\glchvt.dat
2010-02-16 11:35 . 2005-08-10 20:38 -------- d-----w- c:\program files\Microsoft Works
2010-02-16 04:39 . 2010-03-14 00:45 183582 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-02-15 16:32 . 2010-02-15 16:32 -------- d-----w- c:\program files\Funk Software
2010-02-15 16:32 . 2010-02-15 16:32 -------- d-----w- c:\program files\Common Files\Funk Software
2010-02-15 16:31 . 2010-02-15 16:31 -------- d-----w- c:\program files\Linksys
2010-02-15 16:31 . 2005-08-09 21:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-14 18:06 . 2005-08-09 22:39 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 16:32 . 2010-02-11 16:32 -------- d-----w- c:\documents and settings\Damaris\Application Data\InterVideo
2010-02-10 02:43 . 2010-02-10 02:43 -------- d-----w- c:\program files\ArcSoft
2009-12-31 16:14 . 2005-08-09 20:38 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:42 . 2005-08-09 20:38 662016 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:42 . 2005-08-09 20:37 81920 ----a-w- c:\windows\system32\ieencode.dll
.

------- Sigcheck -------

[-] 2010-03-13 . C3E6B717E7B284E1FA89BA9F7A1BE1ED . 14336 . . [5.1.2600.2180] . . c:\windows\system32\LSASS.EXE
[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lsass.exe

[-] 2010-03-13 . 5601875F8E0FE31B37464FEDE334B0B2 . 112640 . . [5.1.2600.3520] . . c:\windows\system32\SERVICES.EXE
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3GDR\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\services.exe
[7] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2010-03-13 . E853481FEF64A5BE3FC3732D9D3D926A . 505856 . . [5.1.2600.2180] . . c:\windows\system32\WINLOGON.EXE
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

[-] 2010-03-13 . 4E06F50F95357B8CFBC81F5699E754B7 . 16896 . . [5.1.2600.2180] . . c:\windows\system32\SVCHOST.EXE
[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe

[-] 2010-03-13 . 0C1E156ECF96E447870EBFB27413BD60 . 1034240 . . [6.00.2900.2180] . . c:\windows\EXPLORER.EXE
[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-09 98304]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]
Wireless-G Notebook Adapter.lnk - c:\program files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [2010-2-15 36864]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
makesc REG_SZ c:\windows\system32\conidsvc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys [3/1/2010 9:26 AM 207280]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/13/2010 7:46 PM 162640]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/13/2010 7:46 PM 19024]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\hsfhwati.sys [3/31/2005 5:08 PM 211200]
S0 3378071728;3378071728;c:\windows\system32\drivers\3378071728.sys --> c:\windows\system32\drivers\3378071728.sys [?]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [3/1/2010 9:29 AM 112592]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Damaris\Application Data\Mozilla\Firefox\Profiles\j0akk29c.default\
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-Fmawubalikoq - c:\windows\asasetube.dll
SSODL-RMfnldOuK-{B4BDA73D-1E17-0D97-219F-AA0AA3F4D670} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-17 17:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\windows\system32\Ati2evxx.dll
c:\program files\Funk Software\Funk Client\odLogin.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-17 17:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-18 00:42

Pre-Run: 28,180,377,600 bytes free
Post-Run: 28,501,688,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5305362E44F7FD11B150A1A5D70983F7

EDIT: pasted the combofix log to easy my research of the files.

Attached Files


Edited by Net_Surfer, 17 March 2010 - 08:35 PM.


#6 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 17 March 2010 - 10:46 PM

Hello again Fireheart88, icon_hello.gif

Combofix tool got some baddies, we still have some more to clean up, but lets do this first:

Please careful follow my next set of steps:


Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost. Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

Please note: You may have to disable any script protection running if the scans fail to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scans, enable your A/V and reconnect to the internet.


step1.gif * TDSSKiller

Please run TDSSKiller
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
step2.gif * re-scan with Gmer again.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Make sure, you re-enable your security programs, when you're done with the scans before you connect to the internet.

Summary of the logs I will need in your next reply:
  • The report log of TDSSKiller created on your C: drive called TDSSKiller.txt
  • The report log of Gmer.
And a description of any remaining problems.


How are things your end Fireheart88 ???.


After you post the logs back here I will need some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.

In the meantime Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult..

Kind regards
Net_Surfer



#7 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 19 March 2010 - 12:07 AM

Hello Fireheart88.,

bounce.gif Bump bounce.gif

Are you still there???

Please reply to this post so I know you are there. whistling.gif

If you are please follow the instructions in my previous post.


Please continue to review my answers until I tell you your machine appears to be clear. Remember absence of symptoms does not mean that everything is clear.

I have not had a reply from you. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

The forum is busy and we need to have replies as soon as possible. Unfortunately, if I do not hear back from you within 3 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided by replying back and let us know the reason of your delay.


If you like you can PM me.

Thanks,

Kind regards
Net_Surfer



#8 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 24 March 2010 - 10:18 PM

Hello fireheart88...

It has been a few days since my last post to you. It would be a shame to leave this thread now since you are still infected.

* Do you need more time?
* Are you having problems understanding or following my instructions?

Just let me know what's going on otherwise...
After 24 hrs., if you have not replied to this thread... it will be closed!

Kind regards
Net_Surfer

#9 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 AM

Posted 26 March 2010 - 05:43 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread.


Thanks!
Net_Surfer

horse.gif

Edited by Net_Surfer, 26 March 2010 - 05:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users