Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All started with Smart Security...ad popup


  • This topic is locked This topic is locked
2 replies to this topic

#1 Travis Wayne

Travis Wayne

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:11:11 PM

Posted 23 April 2010 - 02:01 PM

Hi guys, at first my computer was infected with Smart Security. I ran Malwarebytes and all the SmartSecurity messages are gone. But I think I still have a rootkit...When I go to Internet Explorer and do a search it takes me to advertisements when I click on the results. Also I get popups at different times. I tried Combofix, and it ended up in a blue screen. I came on here and tried to do the step by step thing for Smart Security removal, and rkill keeps coming up with an error and says it must terminate and can't continue. So I'm at a loss on what to do next..Any help is greatly appreciated, thanks!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mortons at 13:14:42.98 on Fri 04/23/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1598 [GMT -5:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Logitech\Logitech Vid\Vid.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CSHelper.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\lxbfcoms.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\SearchProtocolHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mortons\Desktop\dds.scr

============== Pseudo HJT Report ===============

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2787EA8E-8D87-48AF-88AD-B30246C917AB} - No File
TB: {D1A1FD57-93FC-45FE-BC2A-B3A5D47D6674} - No File
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\Vid.exe" -bootmode
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: billpaysite.com\www
Trusted Zone: plaxo.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2010-4-1 266240]
R2 lxbf_device;lxbf_device;c:\windows\system32\lxbfcoms.exe -service --> c:\windows\system32\lxbfcoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-4-5 1153368]
S2 gupdate1c9ad5e3ce76ad7;Google Update Service (gupdate1c9ad5e3ce76ad7);c:\program files\google\update\GoogleUpdate.exe [2009-3-25 133104]

=============== Created Last 30 ================

2010-04-23 18:10:55 0 ----a-w- c:\users\mortons\defogger_reenable
2010-04-23 17:01:35 0 d-s---w- C:\ComboFix
2010-04-22 02:49:21 0 d-----w- c:\programdata\Sun
2010-04-22 02:44:22 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-22 02:30:08 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-22 02:27:13 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-04-22 01:48:43 98816 ----a-w- c:\windows\sed.exe
2010-04-22 01:48:43 77312 ----a-w- c:\windows\MBR.exe
2010-04-22 01:48:43 261632 ----a-w- c:\windows\PEV.exe
2010-04-22 01:48:43 161792 ----a-w- c:\windows\SWREG.exe
2010-04-22 01:15:14 0 d-----w- c:\program files\Sophos
2010-04-21 23:50:39 0 d-----w- c:\windows\pss
2010-04-21 23:45:39 0 d-----w- c:\program files\Trend Micro
2010-04-21 23:30:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 23:30:26 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 23:30:26 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-20 04:17:49 0 d-----w- C:\$AVG
2010-04-19 00:20:17 283959052 ----a-w- c:\windows\MEMORY.DMP
2010-04-18 20:34:44 0 d-----w- c:\program files\AVG
2010-04-18 20:34:26 0 d-----w- c:\programdata\avg9
2010-04-18 20:30:00 0 d-----w- c:\users\mortons\appdata\roaming\Malwarebytes
2010-04-18 20:29:50 0 d-----w- c:\programdata\Malwarebytes
2010-04-15 02:26:28 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-15 02:26:28 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-15 02:26:28 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-15 02:26:26 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-15 02:26:25 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-15 02:26:23 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-04-15 02:26:20 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-04-15 02:26:18 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-04-15 02:26:18 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-04-15 02:26:18 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-04-15 02:25:52 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 02:25:44 98304 ----a-w- c:\windows\system32\cabview.dll
2010-04-06 02:50:37 0 d-----w- c:\program files\iPod
2010-04-06 02:50:34 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-06 02:50:33 0 d-----w- c:\program files\iTunes
2010-04-06 02:44:27 0 d-----w- c:\program files\Bonjour
2010-04-05 03:25:42 0 d-----w- c:\program files\ParetoLogic
2010-04-05 03:13:18 0 d-----w- c:\programdata\Yahoo! Companion
2010-04-01 23:18:51 266240 ----a-w- c:\windows\system32\CSHelper.exe
2010-04-01 23:18:51 225280 ----a-w- c:\windows\system32\CSInstru.DLL

==================== Find3M ====================

2010-04-23 17:03:48 6144 ----a-w- c:\windows\system32\drivers\RDPENCDD.sys
2010-04-06 02:45:07 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-06 02:45:07 86016 ----a-w- c:\windows\inf\infpub.dat
2010-04-06 02:45:07 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-24 15:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 06:39:13 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-20 23:39:35 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:37:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-01-25 12:48:34 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:48:34 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:48:06 472064 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 12:45:56 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:35:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35:00 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:34:56 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:34:56 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2008-06-11 08:10:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-10-19 04:11:33 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-06-30 20:55:28 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 13:15:16.27 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Travis Wayne

Travis Wayne
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa
  • Local time:11:11 PM

Posted 24 April 2010 - 01:26 PM

Please disregard this post. A lot has changed since then, thank you for your time.

#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:11:11 PM

Posted 24 April 2010 - 01:41 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users