Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rements of Antispyware XP not going away


  • Please log in to reply
27 replies to this topic

#1 gator4798

gator4798

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 12 April 2010 - 01:48 AM

Hey folks, I was here once before and found this fourm and all its members to be a godsend. Here's whats happened. Last night I mistakenly let my computer do all the windows updates I've been avoiding. 13 of them installed without a problem. Today avast pops up with a trojan alarm. It seems to take care of it before I notice I have this lovely new antispyware program that was installed for me. Aint that nice of them. I looked it up online and ran Malwarebytes to get rid of it. It seemed to work after 2 runs of the program. My internet no longer functions but I know the router and all connections are working. Still cant get into regedit but that seems to be it. Any help would be just great. Thanks, HJT and DDS logs follow GMER cant run, gets an error while scanning and crashes. Oh and it seems I still have some popups as well. crazy.gif

HJT
[codebox]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:32 PM, on 4/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PSIService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\EZ-RC\ez-rc-tray.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Gigabyte\ET5\GUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Program Files\IT Works\Ez OFF\EzOff.exe,
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [EasyTuneV] C:\Program Files\Gigabyte\ET5\ETcall.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.com .exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [DPAgnt] C:\Program Files\DigitalPersona\Bin\DPAgnt.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\program files\microsoft activesync\wcescomm .exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User '?')
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [H/PC Connection Agent] "C:\program files\microsoft activesync\wcescomm .exe" (User '?')
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [Aim6] (User '?')
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [Google Update] "C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User '?')
O4 - HKUS\S-1-5-21-842925246-1659004503-1801674531-1004\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [tbkejhsc] C:\Documents and Settings\NetworkService\Local Settings\Application Data\ychdjvjun\dwuqcjbtssd.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [tbkejhsc] C:\Documents and Settings\NetworkService\Local Settings\Application Data\ychdjvjun\dwuqcjbtssd.exe (User 'Default user')
O4 - S-1-5-21-842925246-1659004503-1801674531-1004 Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe (User '?')
O4 - S-1-5-21-842925246-1659004503-1801674531-1004 Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe (User '?')
O4 - S-1-5-21-842925246-1659004503-1801674531-1004 Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe (User '?')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: EZ-RC System Tray.lnk = C:\Program Files\EZ-RC\ez-rc-tray.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{47E5B7DD-44EA-4669-9A78-B4AED9FE16F0}: NameServer = 93.188.165.129,93.188.166.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.165.129,93.188.166.124
O17 - HKLM\System\CS1\Services\Tcpip\..\{47E5B7DD-44EA-4669-9A78-B4AED9FE16F0}: NameServer = 93.188.165.129,93.188.166.124
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.165.129,93.188.166.124
O17 - HKLM\System\CS2\Services\Tcpip\..\{47E5B7DD-44EA-4669-9A78-B4AED9FE16F0}: NameServer = 93.188.165.129,93.188.166.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.129,93.188.166.124
O20 - AppInit_DLLs: app_dll.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Windows XP FUS Manager (DPFUSMgr) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: EOUACService - Unknown owner - C:\Program Files\IT Works\Ez OFF\EOUACService.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Portable Library - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9859c78c1b384) (gupdate1c9859c78c1b384) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Livescribe Pulse Smartpen Service (PenCommService) - Livescribe - C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
O23 - Service: Tenable Nessus - Tenable Network Security, Inc - C:\Program Files\Tenable\Nessus\nessus-service.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12668 bytes
[/codebox]

DDS
[codebox]

DDS (Ver_10-03-17.01) - NTFSx86
Run by Alex at 23:30:45.15 on Sun 04/11/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_16
AV: avast! antivirus 4.8.1229 [VPS 100228-1] *On-access scanning enabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\it works\ez off\EzOff.exe,
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm .exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim6]
uRun: [Google Update] "c:\documents and settings\alex\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [EasyTuneV] c:\program files\gigabyte\et5\ETcall.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LVCOMSX] "c:\program files\common files\logishrd\lcommgr\LVComSX.exe"
mRun: [M-Audio Taskbar Icon] c:\windows\system32\M-AudioTaskBarIcon.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm .exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.com .exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [DPAgnt] c:\program files\digitalpersona\bin\DPAgnt.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
dRun: [tbkejhsc] c:\documents and settings\networkservice\local settings\application data\ychdjvjun\dwuqcjbtssd.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: NameServer = 93.188.165.129,93.188.166.124
TCP: {47E5B7DD-44EA-4669-9A78-B4AED9FE16F0} = 93.188.165.129,93.188.166.124
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: DPWLN - c:\windows\system32\DPWLEvHd.dll
AppInit_DLLs: app_dll.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli DPPWDFLT

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\alex\applic~1\mozilla\firefox\profiles\a8s832yy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Anime Planet
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-01-01 07:50:12 168 --sh--r- c:\windows\system32\A7C0838AA7.sys
2008-11-18 04:20:41 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111720081118\index.dat
2009-10-13 14:49:03 16384 -csha-w- c:\windows\temp\cookies\index.dat
2009-10-13 14:49:03 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2009-10-13 14:49:03 49152 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 23:34:20.82 ===============
[/codebox]

Thanks for looking this over for me.


BC AdBot (Login to Remove)

 


#2 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 12 April 2010 - 11:09 AM

Update, after uninstall and reinstall of Google Chrome it still wont work, Where as IE and Firefox are working.

Oh and its trying to redirect me to directrdr.com/v3.php and so on.

Edited by gator4798, 12 April 2010 - 11:15 AM.


#3 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 14 April 2010 - 06:02 PM

Update 2: Apparently the the malware was just sleeping, last night it came back full force. I followed the instructions about removing it I found here. Malwarebytes found 7 or so entries (Log attached) and I allowed the restart, But the malware is still there and now malwarebytes shows its clean. Popups and redirects are everywhere. Thanks for the help whoever gets to me first :-) Log 0_26_1 is the one I ran when it reappeared, 8_30_11 Is the log from when I first ran it, shortly after the malware got in.

Attached Files



#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:12 PM

Posted 15 April 2010 - 07:37 AM

Hello, gator4798

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Try not to bump your topic for reasons outlined in the Forum Guidelines. Also, please do not code your logs, pasting them directly is much preferred. Gmer probably couldn't run properly due to the daemon tools driver running, they can conflict which causes crashed. Let's do this:

DeFogger

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Edited by Jat90, 15 April 2010 - 08:02 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 15 April 2010 - 09:29 PM

Thanks for the help, GMER is running and is on its 8th hour of scanning. As soon as it's done I'll post the logs.

#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:12 PM

Posted 16 April 2010 - 07:22 AM

Not a good sign. If it does not complete or is still scanning, then please use RootRepeal instead:

RootRepeal

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  3. Open on your desktop.
  4. Click the tab.
  5. Click the button.
  6. Check all seven boxes:
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 16 April 2010 - 01:29 PM

Ever had one of those days where nothing you try works right, Thats been my week. GMER seemed to run just fine for quite some time then I looked up to the login screen, I was going to bed so for the moment I just shut it down. I awaken this morning to find that the damn thing wont boot, Just a lovely black screen, Great I say, I move onto a safe mode boot, It's hung for 15 min now on System32/DRIVERS/isapnp.sys I need to take off so I'll let it keep trying hopefully it will boot. I'll post an update around about 3 pm PST

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:12 PM

Posted 16 April 2010 - 04:32 PM

Hmm,

Seems rootkit related, but I will need a gmer or rootrepeal log to see what exactly it is. I'll keep checking for logs or any problems you may have.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 17 April 2010 - 12:52 PM

OK well im going to try and boot the machine from a bootable linux cd-rom, Any ideas on a good linux based scanner? I might be able to recover the gmer log if it actually finished. I'll know in about 5 hours.

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:12 PM

Posted 17 April 2010 - 01:42 PM

I'm not aware of any Linux scanners, however we could try and run ComboFix and skip the gmer scans, my thinking is that if we get combofix to get rid of any other nasties on your system, your pc should be able to boot normally for us to finish cleaning. Can you access your PC via Safe Mode or is it completely unbootable?
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 17 April 2010 - 07:53 PM

Ok, I got the machine to boot from a linux bootable CD and there are no new GMER logs so I dident finish. I have a old HD loaded with XP I'll try to boot from and run GMER to get a scan. I'll post again in about an hour with the results.

#12 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 17 April 2010 - 08:10 PM

GMER is scanning now.


#13 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 18 April 2010 - 12:11 AM

Well GMER crashes the entire computer when I run it on a file scan, thankfuly XP tells me what files caused the crash. :
C:\DOCUME~1\Alex\LOCALS~1\Temp\WER9a54.dir00\Mini041710-02.dmp
C:\DOCUME~1\Alex\LOCALS~1\Temp\WER9a54.dir00\sysdata.xml

Any idea what these are and how to get rid of them? Thanks, I'll keep trying to get the thing to boot, and yea it wont boot in safe mode or normally at all. Bleeping computers :-/

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:12 PM

Posted 18 April 2010 - 05:21 AM

Hello,

We need to run ComboFix:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 gator4798

gator4798
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:12:12 PM

Posted 19 April 2010 - 02:29 AM

Yay, I made progress of sorts. I still cant get the main OS to boot and running combo fix under the new OS is useless. However I was able to run MBAM and do a full scan and point it at the infected drive. The MBAM log is below, let me know how to proceed, I dont want to let MBAM try to fix it until I know it wont screw up other stuff.
LOG:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/19/2010 1:23:36 AM
mbam-log-2010-04-19 (01-23-36).txt

Scan type: Full scan (D:\|)
Objects scanned: 396448
Time elapsed: 1 hour(s), 44 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Program Files\uSeesoft\Audio Converter\mr.dll (Backdoor.Generic) -> No action taken.
D:\WINDOWS\system32\diskchk.sys (Rootkit.Agent) -> No action taken.
D:\WINDOWS\Temp\sig7.tmp (Rootkit.Agent) -> No action taken.
D:\Documents and Settings\Alex\My Documents\uSeesoft.Audio.Converter.1.5.0.4.Cracked-ErES\Crack\mr.dll (Backdoor.Generic) -> No action taken.
D:\Documents and Settings\Alex\My Documents\Anno.1404.Dawn.Of.Discovery.ENG.Rip-TPTB\d3drm.dll (Malware.Packer.Gen) -> No action taken.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users