Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiMalware Doctor/AntiMalware Soft Removal?


  • This topic is locked This topic is locked
12 replies to this topic

#1 DECLG2010

DECLG2010

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 08 May 2010 - 11:39 PM

Hello,

This is my girlfriend's computer, and she recently asked me to take a look at it.
I always come to this site for help, and I went through the tutorial for both AntiMalware Doctor removal and AntiMalware Soft removal. Unfortunately, AntiMalware Doctor still seems to be on the computer. I ran the ARK and DDS scans, but after i had ran rkill (it is the only way it'd let me).

I appreciate any help. I apologize if I incorrectly uploaded the logs!

Thank you sincerely,

Garrett

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 PM

Posted 08 May 2010 - 11:53 PM

Hi Garrett,

There aren't any logs that I can see. Could you please copy and paste only the DDS and ARK scan results? It's easier to look through that way anyway. thumbup2.gif

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 May 2010 - 12:04 AM

Absolutely Tea,

DDS:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 11/18/2008 6:02:22 PM
System Uptime: 5/8/2010 9:30:36 PM (0 hours ago)

Motherboard: Dell Inc. | | 0W9260
Processor: Intel® Pentium® M processor 1.60GHz | Microprocessor | 221/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 28 GiB total, 8.925 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Hosts File Hijack ======================

Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com
Hosts: 74.125.45.100 www.secure-plus-payments.com
Hosts: 74.125.45.100 www.getavplusnow.com
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure.paysecuresystem.com
Hosts: 74.125.45.100 paysoftbillsolution.com
Hosts: 74.125.45.100 protected.maxisoftwaremart.com
Hosts: 67.212.189.114 www.google.com
Hosts: 67.212.189.114 google.com.au
Hosts: 67.212.189.114 www.google.com.au
Hosts: 67.212.189.114 google.be
Hosts: 67.212.189.114 www.google.be
Hosts: 67.212.189.114 google.com.br
Hosts: 67.212.189.114 www.google.com.br
Hosts: 67.212.189.114 google.ca
Hosts: 67.212.189.114 www.google.ca
Hosts: 67.212.189.114 google.ch
Hosts: 67.212.189.114 www.google.ch
Hosts: 67.212.189.114 google.de
Hosts: 67.212.189.114 www.google.de
Hosts: 67.212.189.114 google.dk
Hosts: 67.212.189.114 www.google.dk
Hosts: 67.212.189.114 google.fr
Hosts: 67.212.189.114 www.google.fr
Hosts: 67.212.189.114 google.ie
Hosts: 67.212.189.114 www.google.ie
Hosts: 67.212.189.114 google.it
Hosts: 67.212.189.114 www.google.it
Hosts: 67.212.189.114 google.co.jp
Hosts: 67.212.189.114 www.google.co.jp
Hosts: 67.212.189.114 google.nl
Hosts: 67.212.189.114 www.google.nl
Hosts: 67.212.189.114 google.no
Hosts: 67.212.189.114 www.google.no
Hosts: 67.212.189.114 google.co.nz
Hosts: 67.212.189.114 www.google.co.nz
Hosts: 67.212.189.114 google.pl
Hosts: 67.212.189.114 www.google.pl
Hosts: 67.212.189.114 google.se
Hosts: 67.212.189.114 www.google.se
Hosts: 67.212.189.114 google.co.uk
Hosts: 67.212.189.114 www.google.co.uk
Hosts: 67.212.189.114 google.co.za
Hosts: 67.212.189.114 www.google.co.za
Hosts: 67.212.189.114 www.google-analytics.com
Hosts: 67.212.189.114 www.bing.com
Hosts: 67.212.189.114 search.yahoo.com
Hosts: 67.212.189.114 www.search.yahoo.com
Hosts: 67.212.189.114 uk.search.yahoo.com
Hosts: 67.212.189.114 ca.search.yahoo.com
Hosts: 67.212.189.114 de.search.yahoo.com
Hosts: 67.212.189.114 fr.search.yahoo.com
Hosts: 67.212.189.114 au.search.yahoo.com

==== Installed Programs ======================

Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11.5
Antimalware Doctor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 4
Bonjour
Broadcom 440x 10/100 Integrated Controller
C-Major Audio
CCleaner (remove only)
CleanUp!
Conexant D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
DivX Web Player
EVEREST Home Edition v2.20
Facebook Plug-In
File Uploader
FUJIFILM FinePixViewer S Ver.2.1
getPlus® for Adobe
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
iTunes
Java™ 6 Update 11
K-Lite Codec Pack 4.3.1 (Full)
KhalInstallWrapper
Malwarebytes' Anti-Malware
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Small Business
Microsoft Office 2000 SR-1 Premium
Microsoft Silverlight
Microsoft Streets & Trips 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
mIWA
mLogView
mMHouse
MobileMe Control Panel
Move Media Player
Mozilla Firefox (3.5.9)
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
mWlsSafe
mWMI
mZConfig
Nero OEM
Nikon Message Center
Nikon Transfer
Performance Solution Hotrevenue
Photo Explosion
QuickTime
Safari
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SUPERAntiSpyware Free Edition
TTS Wrapper
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
W Photo Studio
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

5/7/2010 9:52:42 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
5/7/2010 9:52:42 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/7/2010 9:52:42 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
5/7/2010 2:35:17 AM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Service service terminated unexpectedly. It has done this 1 time(s).
5/7/2010 2:22:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
5/7/2010 11:24:08 AM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless SSO Service service terminated unexpectedly. It has done this 1 time(s).
5/7/2010 11:23:57 AM, error: Service Control Manager [7034] - The Intel® PROSet/Wireless Event Log service terminated unexpectedly. It has done this 1 time(s).
5/7/2010 11:19:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
5/7/2010 11:13:02 PM, error: w29n51 [5031] - Intel® PRO/Wireless 2200BG Network Connection : The adapter has detected an Adapter Check as a result of some unrecoverable hardware of software error. Please contact your service provider.
5/7/2010 11:13:02 PM, error: w29n51 [5010] - Intel® PRO/Wireless 2200BG Network Connection : The adapter has returned an invalid value to the driver.
5/7/2010 10:06:30 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
5/6/2010 3:33:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
5/6/2010 12:26:19 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/6/2010 12:12:42 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
5/6/2010 12:12:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:12:21 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/6/2010 12:11:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/6/2010 12:11:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/6/2010 12:08:26 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/6/2010 12:08:26 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/5/2010 9:00:30 PM, error: Service Control Manager [7023] - The iPod Service service terminated with the following error: Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized.
5/5/2010 2:42:45 PM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
5/5/2010 2:38:52 PM, error: PSched [14103] - QoS [Adapter {435337AA-DCFA-457C-B998-D93FD9CD8338}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
5/5/2010 12:23:54 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file regsvr32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
5/5/2010 12:23:17 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
5/5/2010 12:22:29 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Spooler service.
5/5/2010 12:17:42 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
5/1/2010 12:06:14 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00166F1F5DBF. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

==== End Of File ===========================



ARK:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-08 23:32:02
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\OWNER~1.OWN\LOCALS~1\Temp\fxpiqpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAAEAA900]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\rasacd.sys entry point in ".rsrc" section [0xF896FC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1148] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1148] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 028B000A
.text C:\WINDOWS\System32\svchost.exe[1148] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DE000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1440] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3760] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 011C000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3760] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 011D000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3760] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 011B000C

---- Devices - GMER 1.0.15 ----

Device -> \Driver\atapi \Device\Harddisk0\DR0 8155EEE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\rasacd.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




Thank you.

#4 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 May 2010 - 12:05 AM

I'm sorry,

Here is the other DDS:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 21:44:49.00 on Sat 05/08/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.82 [GMT -5:00]

AV: My Security Engine *On-access scanning enabled* (Updated) {68E15312-DA3D-4D73-B3EA-A6D3E352F059}
FW: My Security Engine *enabled* {E5D335AB-9113-4A26-ABA5-517A1D2D2B35}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Nova Development\Photo Explosion\4.0\ReminderApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\CCleaner

Edited by DECLG2010, 09 May 2010 - 12:07 AM.


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 PM

Posted 09 May 2010 - 12:16 AM

No need to be sorry, and I have what I need. thumbup2.gif

If you can, Download the HostsXpert Here
http://www.funkytoad.com/download/HostsXpert.zip

Unzip HostsXpert to your desktop

Open up the HostsXpert program.

* Make sure that the "make hosts writable?" button in the upper left corner is enabled.
* Click back up Host files
* then click "Restore MS Hosts File"
* close program

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 09 May 2010 - 01:43 AM

Hi,

Scan is all completed.

ComboFix 10-05-08.02 - Owner 05/09/2010 0:53.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.293 [GMT -5:00]
Running from: c:\documents and settings\Owner.OWNER-20B80EB60\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@74C@384190.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@74C@3841C0.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@74C@3841F0.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@A8@384190.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@A8@3841C0.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\.#\MBX@A8@3841F0.###
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\enemies-names.txt
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\gotnewupdate000.exe
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\hookdll.dll
c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\lsrslt.ini
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\cid.exe
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\cid.tmp
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\CLSV.exe
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\DBOLE.drv
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\eb.sys
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\fan.dll
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\fan.drv
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\FS.drv
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\gid.tmp
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\kernel32.drv
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\pal.exe
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\PE.dll
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\PE.tmp
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\runddl.dll
c:\documents and settings\Owner.OWNER-20B80EB60\Recent\tempdoc.tmp

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-08 03:08 . 2010-05-08 03:08 63488 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-07 19:04 . 2010-05-07 19:04 1294336 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\9ec803d\MySecurityEngine.exe
2010-05-07 18:39 . 2010-05-07 18:39 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\MSWNPUWBTE
2010-05-07 18:39 . 2010-04-07 04:07 457688 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\9ec803d\sqlite3.dll
2010-05-07 18:39 . 2010-04-07 04:07 714200 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\9ec803d\mozcrt19.dll
2010-05-07 16:46 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 16:46 . 2010-05-07 16:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 16:46 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 16:37 . 2010-05-07 19:04 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\9ec803d
2010-05-06 20:38 . 2010-05-06 20:38 52224 ----a-w- c:\documents and settings\Administrator.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 20:38 . 2010-05-06 20:38 117760 ----a-w- c:\documents and settings\Administrator.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 20:37 . 2010-05-06 20:37 -------- d-----w- c:\documents and settings\Administrator.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com
2010-05-06 06:52 . 2010-05-06 06:52 52224 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 06:51 . 2010-05-08 03:08 117760 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 06:51 . 2010-05-06 06:51 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2010-05-06 06:51 . 2010-05-09 02:33 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 06:51 . 2010-05-06 06:51 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\SUPERAntiSpyware.com
2010-05-06 06:51 . 2010-05-06 06:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-06 05:26 . 2010-05-06 05:26 -------- d-----w- c:\documents and settings\Administrator.OWNER-20B80EB60\Application Data\Malwarebytes
2010-05-05 17:22 . 2010-05-07 19:19 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Local Settings\Application Data\wvxgvpcbs
2010-05-05 17:19 . 2010-05-05 17:19 50990 ----a-w- c:\windows\system32\pzrkqfjqmtbihuio.exe
2010-04-30 21:20 . 2010-04-30 21:20 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\PlayFirst
2010-04-30 21:20 . 2010-04-30 21:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PlayFirst
2010-04-30 21:09 . 2010-04-30 21:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Happyville__

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 03:54 . 2009-02-06 20:28 -------- d-----w- c:\program files\Shockwave.com
2010-05-03 17:11 . 2008-11-30 01:46 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\W Photo Studio
2010-05-03 17:11 . 2008-11-27 03:39 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\W Photo Studio Viewer
2010-05-02 02:51 . 2008-11-28 05:50 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-03-30 04:20 . 2010-03-30 04:20 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\vlc
2010-03-30 04:19 . 2010-03-30 04:19 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\MozillaControl
2010-03-30 04:19 . 2010-03-30 04:19 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2010-03-30 03:55 . 2010-03-30 03:55 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Media Player Classic
2010-03-29 02:10 . 2010-03-29 02:10 50354 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Facebook\uninstall.exe
2010-03-29 02:10 . 2010-03-29 02:10 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Facebook
2010-03-26 03:31 . 2009-12-01 05:37 -------- d-----w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Move Networks
2010-03-24 21:10 . 2010-03-24 21:10 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\rionix
2010-03-19 18:28 . 2009-11-29 06:02 79488 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:38 . 2004-08-12 14:09 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2010-01-18 00:10 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-12 13:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-12 14:08 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 03:36 . 2010-03-07 03:36 57832 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-24 13:11 . 2004-08-12 14:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 04:06 . 2008-11-19 00:11 21425 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-02-17 14:10 . 2004-08-12 14:02 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 05:57 . 2010-02-12 05:57 72488 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-12 05:50 . 2010-02-12 05:50 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-12 04:33 . 2004-08-12 13:55 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-12 14:07 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-09 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-06 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-07 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-07 77824]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"AddressBookReminderApp"="c:\program files\Nova Development\Photo Explosion\4.0\ReminderApp.exe" [2009-09-04 144672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-10-2 303104]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 68168]
S0 rkoxh;rkoxh; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
.
Contents of the 'Scheduled Tasks' folder

2010-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Mozilla\Firefox\Profiles\kr81olng.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\components\adproFfx.dll
FF - plugin: c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gotnewupdate000.exe - c:\documents and settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\gotnewupdate000.exe
Notify-LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 01:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8156DEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf84d6f28
\Driver\ACPI -> ACPI.sys @ 0xf8349cb8
\Driver\atapi -> atapi.sys @ 0xf82e3852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf8201bb0
PacketIndicateHandler -> NDIS.sys @ 0xf81f0a0d
SendHandler -> NDIS.sys @ 0xf8204b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-09 01:17:13
ComboFix-quarantined-files.txt 2010-05-09 06:17

Pre-Run: 9,508,139,008 bytes free
Post-Run: 9,971,048,448 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0005F28AA20540F692CCA6C05B504C85


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 PM

Posted 09 May 2010 - 01:47 PM

Hello smile.gif

How is it running after that? smile.gif Can you please run a scan with MBAM and post the report? Also please post a new DDS log. Were you able to run HostsXpert?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 May 2010 - 12:49 AM

.

Edited by DECLG2010, 10 May 2010 - 12:58 AM.


#9 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 May 2010 - 12:51 AM

.

Edited by DECLG2010, 10 May 2010 - 12:58 AM.


#10 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 May 2010 - 01:00 AM

Hi Tea,

Please ignore my above posts; I was having trouble posting.

The computer is running amazing! I cannot thank you enough.

Here is my MBAM log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4084

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

5/10/2010 12:28:41 AM
mbam-log-2010-05-10 (00-28-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 207770
Time elapsed: 1 hour(s), 14 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}\components\adproFfx.dll (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.OWNER-20B80EB60\Application Data\74B665CBAB7F95E91DD9BEEF034C3C1A\hookdll.dll.vir (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Edited by DECLG2010, 10 May 2010 - 01:07 AM.


#11 DECLG2010

DECLG2010
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 10 May 2010 - 01:02 AM

Here is my DDS:



DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 0:41:31.73 on Mon 05/10/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.146 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Nova Development\Photo Explosion\4.0\ReminderApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.OWNER-20B80EB60\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [AddressBookReminderApp] c:\program files\nova development\photo explosion\4.0\ReminderApp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227054398953
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.own\applic~1\mozilla\firefox\profiles\kr81olng.default\
FF - component: c:\program files\mozilla firefox\extensions\{cafeefac-0016-0000-0011-abcdeffedcba}\components\adproFfx.dll
FF - plugin: c:\documents and settings\owner.owner-20b80eb60\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\owner.owner-20b80eb60\application data\move networks\plugins\npqmp071701000002.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 68168]
S0 rkoxh;rkoxh; [x]

=============== Created Last 30 ================

2010-05-09 05:41:01 0 d-sha-r- C:\cmdcons
2010-05-09 05:32:35 98816 ----a-w- c:\windows\sed.exe
2010-05-09 05:32:35 77312 ----a-w- c:\windows\MBR.exe
2010-05-09 05:32:35 256512 ----a-w- c:\windows\PEV.exe
2010-05-09 05:32:35 161792 ----a-w- c:\windows\SWREG.exe
2010-05-07 18:39:36 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\MSWNPUWBTE
2010-05-07 16:46:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 16:46:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 16:46:08 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 16:37:35 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\9ec803d
2010-05-06 06:51:38 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com
2010-05-06 06:51:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 06:51:23 0 d-----w- c:\docume~1\owner~1.own\applic~1\SUPERAntiSpyware.com
2010-05-06 06:51:05 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-06 05:06:47 2862 ----a-w- c:\windows\lsrslt.ini
2010-05-05 17:19:36 50990 ----a-w- c:\windows\system32\pzrkqfjqmtbihuio.exe
2010-04-30 21:09:19 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Happyville__

==================== Find3M ====================

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 03:36:53 57832 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-17 14:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 0:44:00.68 ===============


I was able to run the HostXpert program. I cannot believe how much those programs helped.

If there's anything else, please let me know.

Thank you so much. I appreciate your help greatly. I'll be sure to make a donation!

-Garrett

Edited by DECLG2010, 10 May 2010 - 01:09 AM.


#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 PM

Posted 10 May 2010 - 02:54 AM

Hi Garrett,

You're most welcome. smile.gif Still some things to do.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

There are a couple of things I need to check on, please. I could not find anything on the files, and I'd like for you to check on a folder for me. smile.gif

Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\windows\system32\pzrkqfjqmtbihuio.exe

Also this file :

c:\windows\lsrslt.ini

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Could you please look in the following bolded folder and tell me what's in it?

c:\documents and settings\Owner.OWNER-20B80EB60\Local Settings\Application Data\wvxgvpcbs

Do you remember if you ran DDS before or after you ran HostsXpert?

Thanks,
tea




Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:59 PM

Posted 16 May 2010 - 02:25 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users