Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

not sure what infection I have, need help bad.


  • This topic is locked This topic is locked
2 replies to this topic

#1 TheShawn

TheShawn

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 07 May 2010 - 10:02 AM

Just the other day I got an infection that spawned from a pop-up and got worse from there.
All of a sudden this little green shield popped up in the system tray and a i get a consistent pop up from the system tray asking me to start my anti virus program under the disguise of a windows security alert.
every time I try to run a program of any kind i get another fake windows security alert pop up that tells me the .exe file has been infected and cannot be executed and the program shuts down.
I also get other random pop ups saying that I should start a virus scan or change my security settings
Im also getting web site pop ups with ads for viagra and porn sites.
internet explorer is stuck on a page that says "Internet Explorer Warning - visiting this web site may harm your computer!" and wont let me visit any sites.
When I start my computer it seems like theres about a minute and a half where i dont run into these interferences.


I attempted to run the dds script but the infection stops it every time, even if i start it the moment the computer starts
I did however run the gmer program and get the log below from it but the first 8 options that can be checked were grayed out before the scan started.


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 10:41:26
Windows 6.0.6002 Service Pack 2
Running: gmer.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x26 0xF8 0xDF 0x64 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x96 0x5C 0x77 0xBF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x31 0x6A 0xD1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB5 0xE5 0xAF 0xDB ...
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management\PrefetchParameters@BootId 1124
Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 288022036
Reg HKLM\SYSTEM\ControlSet002\Control\Terminal Server@InstanceID a5d97bd0-8251-40e1-a9e5-03b3974
Reg HKLM\SYSTEM\ControlSet002\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{752e5343-9798-44c2-874a-841632637afa}
Reg HKLM\SYSTEM\ControlSet002\Control\WMI\Autologger\WdiContextLog@FileCounter 2
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters@MemoryCacheSize 508675413
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters@LastBootPlanUserTime Fri, May 07 10, 10:17:51 AM????????????
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters@LastBootPlanTime 0xF0 0xED 0xCA 0x01 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters@BootMinAvailableMemory 642
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters@BootMinAvailableMemoryTimeMs 78000
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@IoReadCount 27978
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@IoReadKB 0xBD 0x45 0x0C 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CacheHitCount 26153
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CacheHitKB 0x0F 0xB1 0x0B 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CacheHitPercentage 93.48??????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CacheFragmentation 9.18???????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CompressedDataSizeKB 0x1A 0x76 0x07 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@RawDataSizeKB 0x1A 0x76 0x07 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CompressionRatio 1.67???????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@CacheSizeKB 499542
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@LastBootPlanUTC 0xEF 0xED 0xCA 0x01 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@BootTimeUTC 0xD5 0x81 0xCB 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@LastBootPlanUserTime Fri, May 07 10, 10:13:20 AM????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@BootPrefetchDiskTimeUs 0x06 0x43 0xCA 0x03 ...
Reg HKLM\SYSTEM\ControlSet002\Services\Ecache\Parameters\ReadyBootStats@BootPrefetchDataReadBytes 0x00 0x40 0x91 0x2B ...
Reg HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Epoch@Epoch 2805
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x26 0xF8 0xDF 0x64 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x96 0x5C 0x77 0xBF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x31 0x6A 0xD1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xB5 0xE5 0xAF 0xDB ...
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C1EAB410-1657-4D3B-98EB-37BC7D81CB86}@Lease 3319
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C1EAB410-1657-4D3B-98EB-37BC7D81CB86}@LeaseObtainedTime 1273241791
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C1EAB410-1657-4D3B-98EB-37BC7D81CB86}@T1 1273243450
Reg HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C1EAB410-1657-4D3B-98EB-37BC7D81CB86}@T2 1273244695

---- EOF - GMER 1.0.15 ----

This infection is driving me nuts, please help me figure this out before it drives me completely insane.

In the meantime i went through your removal guides and found out i was dealing with Antispyware Soft.
I went through the removal process and things seem to be ok but i ran dds and gmer and am going to post all of the appropriate logs since i wasnt able before to make sure im clean.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Shawn at 2:44:36.89 on Sat 05/08/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vistaâ„¢ Ultimate 6.0.6002.2.1252.1.1033.18.2047.1019 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\SpeedFan\speedfan.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files (x86)\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Shawn\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en&source=iglk
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [VolPanel] "c:\program files (x86)\creative\sbaudigy\volume panel\VolPanlu.exe" /r
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [BlackBerryAutoUpdate] c:\program files (x86)\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files (x86)\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\speedfan.lnk - c:\program files (x86)\speedfan\speedfan.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~2\office12\EXCEL.EXE/3000
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
mRun-x64: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun-x64: [SoundMan] SOUNDMAN.EXE
mRun-x64: [RivaTunerStartupDaemon] "c:\program files (x86)\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTunerWrapper.exe" /S
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\shawn\appdata\roaming\mozilla\firefox\profiles\l8wi4066.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en&source=iglk
FF - plugin: c:\program files (x86)\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files (x86)\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\users\shawn\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\shawn\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\shawn\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\shawn\appdata\roaming\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\users\shawn\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\windows\syswow64\adobe\director\np32dsw.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PxHlpa64;PxHlpa64;c:\windows\system32\drivers\PxHlpa64.sys [2009-11-9 52856]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-9 89680]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-9 22096]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-9 64592]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-9 138680]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\nvidia corporation\3d vision\nvSCPAPISvr.exe [2009-7-14 239648]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-9 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-9 352920]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTuner64.sys [2009-8-22 19952]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2010-2-24 31744]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2009-9-24 89920]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\common files\creative labs shared\service\CTAELicensing.exe [2010-2-5 79360]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-31 27648]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2009-1-31 19968]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-10-16 50176]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-05-08 06:00:51 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-18 14:34:21 247560 ----a-w- c:\windows\syswow64\prgiso.dll
2010-04-18 14:34:21 13576 ----a-w- c:\windows\syswow64\wnaspi32.dll
2010-04-17 17:17:23 0 d-----w- c:\windows\system32\appmgmt
2010-04-17 16:42:14 0 d-----w- c:\programdata\launcher
2010-04-17 16:32:18 0 d-----w- c:\program files (x86)\Paragon Software
2010-04-14 17:21:14 98304 ----a-w- c:\windows\syswow64\cabview.dll
2010-04-14 17:21:14 104960 ----a-w- c:\windows\system32\cabview.dll
2010-04-14 17:21:12 218624 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 17:21:12 172032 ----a-w- c:\windows\syswow64\wintrust.dll

==================== Find3M ====================

2010-05-08 06:42:31 32879 ----a-w- c:\programdata\nvModes.dat
2010-04-05 15:43:31 86016 ----a-w- c:\windows\inf\infstor.dat
2010-04-05 15:43:31 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-05 15:43:31 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-19 19:53:48 13312 ----a-w- c:\windows\syswow64\svrapi.dll
2010-03-19 19:53:10 744960 ----a-w- c:\windows\syswow64\IR41_32.DLL
2010-03-05 14:32:42 612864 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 14:01:02 420352 ----a-w- c:\windows\syswow64\vbscript.dll
2010-02-24 14:16:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-02-23 07:03:02 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 06:57:40 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-02-23 06:57:39 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-02-23 06:39:13 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 06:39:00 1209344 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 06:37:26 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-02-23 06:35:21 611840 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 06:34:51 5944832 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 06:34:49 594432 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-02-23 06:34:49 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 06:34:06 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-02-23 06:33:45 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-02-23 06:33:45 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-02-23 06:33:45 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-02-23 06:33:45 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-02-23 06:33:44 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-02-23 06:33:44 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-02-23 06:33:44 11070976 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 06:33:38 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-02-23 05:19:22 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-02-23 04:55:36 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-02-23 04:55:24 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-02-23 04:54:43 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-02-20 23:15:56 32768 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:14:20 33792 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 23:06:41 24064 ----a-w- c:\windows\syswow64\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\syswow64\httpapi.dll
2010-02-18 14:28:01 4697992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-18 13:49:59 225280 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-12 16:01:24 95520 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:01:24 119584 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 15:46:14 91424 ----a-w- c:\windows\syswow64\dnssd.dll
2010-02-12 15:46:14 107808 ----a-w- c:\windows\syswow64\dns-sd.exe
2009-11-11 19:50:35 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-01-31 20:13:22 174 --sha-w- c:\program files\desktop.ini
2009-01-31 20:13:22 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:32 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:32 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-12-31 05:40:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-12-31 05:40:18 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-12-31 05:40:18 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2009-11-07 04:03:07 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-07-14 01:16:09 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 2:45:59.80 ===============

Attached Files


Edited by TheShawn, 08 May 2010 - 02:03 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:16 PM

Posted 10 May 2010 - 11:36 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:16 PM

Posted 16 May 2010 - 08:29 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users