Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan infection related to fake spyware program


  • This topic is locked This topic is locked
90 replies to this topic

#1 castrique

castrique

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 30 May 2010 - 06:37 PM

Started with the 'your computer is infected' screens.' Had Norton System Mechanic but nothing worked. Tried PC Doctor Avanti and Malware but could not remove. Things got worse and internet explorer would not work. In desperation, reloaded Vista which shows up on boot up as Vista - recovered (the old Vista is still there) and got internet service back. Loaded with anti virus thinging would keep this copy safe. Anyway the Vista recovered scans entire drive but does not fix problems when I boot up and run original Vista. Imagine have pprobably done about everything a$%backwards so appreciate any help. Few years back had problem and ran Hijack This and got telephone support so even ran that program. Basically stymied and will take into Best Buy geek squad for $200 clean if this forum isn't of any help. However, I am quite optimistic the fine people on this site will help.

Wish I could reciprocate but limited abilities - do contribute time and money to BSA/Triumph forum so know the value of helping and getting helped.
Tried to follow instructions for possting.
thank you - Craig

DS (Ver_10-03-17.01) - NTFSx86
Run by craig at 16:57:59.33 on Sun 05/30/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1023.218 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.vista.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\craig\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\63VWM4WN\HijackThis[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Users\craig\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M72IXVTY\HijackThis[1].exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\craig\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0OK6MTLU\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [HijackThis startup scan] c:\users\craig\appdata\local\microsoft\windows\temporary internet files\content.ie5\m72ixvty\HijackThis.exe /startupscan
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: c:\windows\system32\iavlsp.dll
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/3,0,0,5991/mcfscan.cab

============= SERVICES / DRIVERS ===============


============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2010-05-30 20:40:27 0 ----a-w- c:\users\craig\defogger_reenable
2010-05-29 01:13:36 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-29 01:11:44 0 d-----w- c:\programdata\Alwil Software
2010-05-29 01:07:02 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-28 22:49:30 12800 ----a-w- c:\windows\system32\drivers\elrawdsk.sys
2010-05-28 22:46:42 834448 ----a-w- c:\windows\system32\drivers\css-dvp.sys
2010-05-28 22:46:34 0 d-----w- c:\program files\common files\Authentium
2010-05-28 21:48:41 144771052 ----a-w- c:\windows\MEMORY.DMP
2010-05-28 01:40:26 0 d-----w- c:\program files\Trend Micro
2010-05-24 11:27:51 59664 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-05-24 11:27:51 51984 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-05-24 11:27:51 33552 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-05-24 01:55:30 767952 ----a-w- c:\windows\BDTSupport.dll
2010-05-24 01:55:29 882 ----a-w- c:\windows\RegSDImport.xml
2010-05-24 01:55:29 879 ----a-w- c:\windows\RegISSImport.xml
2010-05-24 01:55:29 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-05-24 01:55:29 131 ----a-w- c:\windows\IDB.zip
2010-05-24 01:55:29 1152444 ----a-w- c:\windows\UDB.zip
2010-05-24 01:55:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-05-24 01:55:28 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-05-24 01:49:58 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-05-24 01:49:58 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-05-24 01:49:58 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-05-24 01:49:48 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-05-24 01:49:48 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-05-24 01:49:48 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-05-24 01:49:48 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-05-24 01:49:37 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-05-24 01:49:37 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-05-24 01:49:25 0 d-----w- c:\users\craig\appdata\roaming\PC Tools
2010-05-24 01:49:25 0 d-----w- c:\programdata\PC Tools
2010-05-24 01:49:25 0 d-----w- c:\program files\Spyware Doctor
2010-05-24 01:49:25 0 d-----w- c:\program files\common files\PC Tools
2010-05-24 01:49:09 0 d---a-w- c:\programdata\TEMP
2010-05-23 20:47:41 0 d-----w- c:\windows\McAfee.com
2010-05-23 00:03:29 0 d-----w- c:\users\craig\appdata\roaming\Malwarebytes
2010-05-23 00:03:19 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-23 00:03:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 00:03:17 0 d-----w- c:\programdata\Malwarebytes
2010-05-23 00:03:17 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-22 19:04:27 472 ----a-w- c:\windows\system32\iolo.ini
2010-05-22 07:27:51 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-05-22 07:27:48 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-05-22 07:27:38 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
2010-05-22 07:27:37 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-05-22 07:27:36 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-05-22 07:27:36 11264 ----a-w- c:\windows\system32\icardres.dll
2010-05-22 07:27:28 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-05-22 07:27:09 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-05-22 07:08:40 96760 ----a-w- c:\windows\system32\dfshim.dll
2010-05-22 07:08:29 282112 ----a-w- c:\windows\system32\mscoree.dll
2010-05-22 07:08:26 41984 ----a-w- c:\windows\system32\netfxperf.dll
2010-05-22 07:07:23 158720 ----a-w- c:\windows\system32\mscorier.dll
2010-05-22 07:06:50 83968 ----a-w- c:\windows\system32\mscories.dll
2010-05-22 04:02:10 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2010-05-22 04:02:01 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2010-05-22 04:00:31 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
2010-05-22 03:36:12 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-05-22 03:36:11 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-05-22 03:36:11 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-22 03:36:10 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-05-22 03:35:45 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-05-22 03:35:25 301568 ----a-w- c:\windows\system32\drivers\srv.sys
2010-05-22 03:35:23 98304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-05-22 03:31:40 104960 ----a-w- c:\windows\system32\netiohlp.dll
2010-05-22 03:31:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-05-22 03:31:34 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-05-22 03:31:34 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-05-22 03:31:31 10240 ----a-w- c:\windows\system32\finger.exe
2010-05-22 03:31:30 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-05-22 03:31:30 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-05-22 03:31:29 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-05-22 03:31:24 17920 ----a-w- c:\windows\system32\netevent.dll
2010-05-22 03:24:33 2501921 ----a-w- c:\windows\system32\wlan.tmf
2010-05-22 03:24:26 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2010-05-22 03:24:25 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2010-05-22 03:24:24 302592 ----a-w- c:\windows\system32\wlansec.dll
2010-05-22 03:24:23 513024 ----a-w- c:\windows\system32\wlansvc.dll
2010-05-22 03:23:51 1399296 ----a-w- c:\windows\system32\msxml6.dll
2010-05-22 03:23:49 1257472 ----a-w- c:\windows\system32\msxml3.dll
2010-05-22 03:23:19 213504 ----a-w- c:\windows\system32\msv1_0.dll
2010-05-22 03:23:18 175104 ----a-w- c:\windows\system32\wdigest.dll
2010-05-22 03:23:17 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2010-05-22 03:23:16 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2010-05-22 03:23:14 9728 ----a-w- c:\windows\system32\lsass.exe
2010-05-22 03:23:14 72704 ----a-w- c:\windows\system32\secur32.dll
2010-05-22 03:22:52 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-22 03:22:29 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-22 03:22:28 78848 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-22 03:22:28 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-22 03:22:03 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2010-05-22 03:22:03 15360 ----a-w- c:\windows\system32\pacerprf.dll
2010-05-22 03:21:34 2868224 ----a-w- c:\windows\system32\mf.dll
2010-05-22 03:20:53 3598216 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-05-22 03:20:52 3545992 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-05-22 03:20:29 376832 ----a-w- c:\windows\system32\winhttp.dll
2010-05-22 03:20:12 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-22 03:19:55 71680 ----a-w- c:\windows\system32\atl.dll
2010-05-22 03:19:40 296960 ----a-w- c:\windows\system32\gdi32.dll
2010-05-22 03:19:27 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2010-05-22 03:19:26 38912 ----a-w- c:\windows\system32\xolehlp.dll
2010-05-22 03:19:10 160256 ----a-w- c:\windows\system32\wkssvc.dll
2010-05-22 03:18:48 2066432 ----a-w- c:\windows\system32\mstscax.dll
2010-05-22 03:18:29 269312 ----a-w- c:\windows\system32\es.dll
2010-05-22 03:17:51 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-05-22 03:17:40 1695744 ----a-w- c:\windows\system32\gameux.dll
2010-05-22 03:17:34 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-05-22 03:17:14 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2010-05-22 03:15:19 833024 ----a-w- c:\windows\system32\wininet.dll
2010-05-22 03:14:51 389632 ----a-w- c:\windows\system32\html.iec
2010-05-22 03:14:50 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-22 03:14:48 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-22 03:14:46 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2010-05-22 03:11:25 636928 ----a-w- c:\windows\system32\localspl.dll
2010-05-22 03:03:55 2927104 ----a-w- c:\windows\explorer.exe
2010-05-22 03:03:21 898952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-22 03:03:17 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-22 03:03:17 190464 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-22 03:02:27 499200 ----a-w- c:\windows\system32\wbem\WmiPrvSD.dll
2010-05-22 03:02:23 615424 ----a-w- c:\windows\system32\wbem\fastprox.dll
2010-05-22 03:02:19 551424 ----a-w- c:\windows\system32\rpcss.dll
2010-05-22 03:02:13 247296 ----a-w- c:\windows\system32\wbem\WmiPrvSE.exe
2010-05-22 03:02:11 129024 ----a-w- c:\windows\system32\wbem\WmiDcPrv.dll
2010-05-22 03:02:06 666624 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2010-05-22 03:02:02 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2010-05-22 03:02:01 98304 ----a-w- c:\windows\system32\iasrecst.dll
2010-05-22 03:02:01 44032 ----a-w- c:\windows\system32\iasdatastore.dll
2010-05-22 03:02:01 183296 ----a-w- c:\windows\system32\sdohlp.dll
2010-05-22 03:02:00 54784 ----a-w- c:\windows\system32\iasads.dll
2010-05-22 03:02:00 17408 ----a-w- c:\windows\system32\iashost.exe
2010-05-22 03:00:25 19000 ----a-w- c:\windows\system32\kd1394.dll
2010-05-22 03:00:23 615992 ----a-w- c:\windows\system32\ci.dll
2010-05-22 03:00:22 988216 ----a-w- c:\windows\system32\winload.exe
2010-05-22 03:00:20 927288 ----a-w- c:\windows\system32\winresume.exe
2010-05-22 03:00:11 378368 ----a-w- c:\windows\system32\srcore.dll
2010-05-22 03:00:10 46592 ----a-w- c:\windows\system32\setbcdlocale.dll
2010-05-22 03:00:10 40960 ----a-w- c:\windows\system32\srclient.dll
2010-05-22 03:00:09 6656 ----a-w- c:\windows\system32\kbd106n.dll
2010-05-22 03:00:09 318464 ----a-w- c:\windows\system32\rstrui.exe
2010-05-22 03:00:09 14848 ----a-w- c:\windows\system32\srdelayed.exe
2010-05-22 02:56:21 62464 ----a-w- c:\windows\system32\l3codeca.acm
2010-05-22 02:55:46 24064 ----a-w- c:\windows\system32\amxread.dll
2010-05-22 02:55:46 13824 ----a-w- c:\windows\system32\apilogen.dll
2010-05-22 02:55:21 443392 ----a-w- c:\windows\system32\win32spl.dll
2010-05-22 02:54:56 2035712 ----a-w- c:\windows\system32\win32k.sys
2010-05-22 02:54:25 565248 ----a-w- c:\windows\system32\emdmgmt.dll
2010-05-22 02:54:24 625152 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2010-05-22 02:54:24 45056 ----a-w- c:\windows\system32\dataclen.dll
2010-05-22 02:54:24 148480 ----a-w- c:\windows\system32\drivers\nwifi.sys
2010-05-22 02:54:23 36864 ----a-w- c:\windows\system32\cdd.dll
2010-05-22 02:54:03 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2010-05-22 02:53:31 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-05-22 02:53:23 7680 ----a-w- c:\windows\system32\spwmp.dll
2010-05-22 02:53:21 4096 ----a-w- c:\windows\system32\msdxm.ocx
2010-05-22 02:53:21 4096 ----a-w- c:\windows\system32\dxmasf.dll
2010-05-22 02:53:16 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-05-22 02:53:12 43520 ----a-w- c:\windows\system32\msdxm.tlb
2010-05-22 02:53:12 18432 ----a-w- c:\windows\system32\amcompat.tlb
2010-05-22 02:52:49 268288 ----a-w- c:\windows\system32\schannel.dll
2010-05-22 02:52:13 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2010-05-22 02:52:12 94720 ----a-w- c:\windows\system32\logagent.exe
2010-05-22 02:51:43 90112 ----a-w- c:\windows\system32\wshext.dll
2010-05-22 02:51:43 135168 ----a-w- c:\windows\system32\wshom.ocx
2010-05-22 02:51:42 155648 ----a-w- c:\windows\system32\wscript.exe
2010-05-22 02:51:42 135168 ----a-w- c:\windows\system32\cscript.exe
2010-05-22 02:51:41 180224 ----a-w- c:\windows\system32\scrobj.dll
2010-05-22 02:51:41 172032 ----a-w- c:\windows\system32\scrrun.dll
2010-05-22 02:51:23 61440 ----a-w- c:\windows\system32\msasn1.dll
2010-05-22 02:50:57 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2010-05-22 02:50:37 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-05-22 02:50:17 281600 ----a-w- c:\windows\system32\raschap.dll
2010-05-22 02:50:17 244224 ----a-w- c:\windows\system32\rastls.dll
2010-05-22 02:49:56 351232 ----a-w- c:\windows\system32\WSDApi.dll
2010-05-22 02:49:09 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-05-22 02:49:07 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-05-22 02:49:07 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-05-22 02:49:06 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-05-22 02:49:06 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-05-22 02:49:05 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2010-05-22 02:49:04 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-05-22 02:49:04 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-05-22 02:49:03 65024 ----a-w- c:\windows\system32\avicap32.dll
2010-05-22 02:49:02 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-05-22 02:19:25 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2010-05-22 01:57:29 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-05-22 01:55:53 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-22 01:42:51 52864 ----a-r- c:\windows\system32\SetupWizard.exe
2010-05-22 01:41:13 286208 ----a-w- c:\windows\system32\drivers\WMP54Gv41x86.sys
2010-05-22 01:37:20 2421760 ----a-w- c:\windows\system32\wucltux.dll
2010-05-22 01:36:25 87552 ----a-w- c:\windows\system32\wudriver.dll
2010-05-22 01:35:56 33792 ----a-w- c:\windows\system32\wuapp.exe
2010-05-22 01:35:56 171608 ----a-w- c:\windows\system32\wuwebv.dll
2010-05-22 01:16:21 74703 ----a-w- c:\windows\system32\mfc45.dll
2010-05-22 01:14:23 0 d-----w- c:\users\craig\appdata\roaming\iolo
2010-05-22 01:14:23 0 d-----w- c:\programdata\iolo
2010-05-22 01:01:42 406 ----a-w- c:\windows\system32\ioloBootDefrag.cfg
2010-05-22 00:53:58 0 d-sh--w- c:\windows\Installer
2010-05-22 00:53:43 126976 ----a-w- c:\windows\system32\iavlsp.dll
2010-05-22 00:53:43 118784 ----a-w- c:\windows\system32\iavlsp.dll.old.hkqbx

==================== Find3M ====================

2010-05-22 09:43:33 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-22 09:43:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-22 09:43:32 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-22 09:43:31 86016 ----a-w- c:\windows\inf\infstrng.dat
2008-01-21 02:57:01 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 17:09:07.18 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume1
Install Date: 12/26/2009 2:27:38 AM
System Uptime: 5/30/2010 12:08:29 PM (5 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6570E
Processor: AMD Athlon™ XP | Socket A | 1042/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 298 GiB total, 214.108 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 57 GiB total, 14.201 GiB free.
F: is FIXED (NTFS) - 298 GiB total, 297.523 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================

Authentium AntiVirus SDK - 2
avast! Free Antivirus
Browser Defender 2.0.6.15
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Linksys Wireless-G PCI Adapter Driver - WMP54Gv4.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Realtek AC'97 Audio
Spyware Doctor 7.0
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

==== End Of File ===========================

Attached Files

  • Attached File  ark.txt   3.68KB   17 downloads


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 02 June 2010 - 03:12 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 June 2010 - 06:55 PM

Thank you fo your help. I'm afraid I may have messed things up. Tried this morning to use guide to remove spyware (rkill and malware). Now rkill doesn't stop processes. I have two computers at my desk, one OK and one not OK. I can download on one save to disk and load on the othe infected one if this helps. If have make impossible guess will have to scap hard drive.

Anyways if you want to try that hat would be much appreciated.

thanks - craig

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 02 June 2010 - 07:12 PM

What exactly have you "messed up". It wasn't clear from the post if you now had no windows or internet access or Rkill had just failed to work now...

Once I know where the PC is we can start fixing it. smile.gif


Posted Image
m0le is a proud member of UNITE

#5 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 June 2010 - 07:33 PM

rkill doesn't work. loads up Vista and can laod repaired wvista. some internet access, can use computer. on other computer now which is next to infected one.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 02 June 2010 - 07:38 PM

Okay, then for safety use the clean PC to download Combofix and transfer. Other than that follow the instructions here exactly.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 June 2010 - 07:43 PM

OK - thanks - working on it now

#8 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 02 June 2010 - 10:19 PM

Well..ran program, got message saying anti virus program running and to close program. Tried to shut down in task manager - processes and applications, thought closed all I saw. Continued with program and got warning again. Program continued. Had to leave room and when I came back computer had rebooted. Comfix ran again. Got message 'canot find file whitedir01. then message saying running log, then message saying log at c:\combofix.txt. Looked and didn't see it. Did notice some new folders Qoobox and comfix.exe786c. Ran search for file and found it in this folder. tried to cut and paste and put on CD. No copy allowed, said 'required permission not held by client'. Clicked on file.properties and permission advanced, unchecked 'include inhereted permission....' assigned writes to Users - Craig. Presto..was able to copy files to CD, put in other computer and am uploading.
Also cut/paste below in case upload file messed up.

thanks - Craig

ComboFix 10-06-02.02 - craig 06/02/2010 21:21:05.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.482 [GMT -4:00]
Running from: D:\comfix.exe.exe
AV: iolo System Shield *On-access scanning enabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\divE62E.tmp
C:\Thumbs.db
C:\Users\craig\AppData\Roaming\64dlls.exe
C:\Users\craig\AppData\Roaming\intel64.exe
C:\Users\craig\AppData\Roaming\localsys64.exe
C:\Users\craig\AppData\Roaming\ntos.exe
C:\Users\craig\AppData\Roaming\oembios.exe
C:\Users\craig\AppData\Roaming\sdra64.exe
C:\Users\craig\AppData\Roaming\sdra73.exe
C:\Users\craig\AppData\Roaming\swin32.exe
C:\Users\craig\AppData\Roaming\twex.exe
C:\Users\craig\AppData\Roaming\twext.exe
C:\Users\craig\AppData\Roaming\wsnpoema.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://download.iolo.net
.
((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 01:44:43 . 2010-06-03 01:44:43 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-06-03 00:50:34 . 2010-06-03 00:50:36 -------- d-----w- C:\comfix.exe
2010-05-28 01:17:09 . 2010-05-28 01:17:09 -------- d-----w- C:\Program Files\Trend Micro
2010-05-28 01:01:28 . 2010-05-28 10:34:01 -------- d-----w- C:\iolo
2010-05-26 01:23:11 . 2010-04-23 14:13:55 2048 ----a-w- C:\Windows\system32\tzres.dll
2010-05-11 22:17:39 . 2010-01-29 15:40:03 738816 ----a-w- C:\Windows\system32\inetcomm.dll
2010-05-09 00:56:55 . 2010-05-09 00:56:55 -------- d-----w- C:\ProgramData\PIXELA
2010-05-09 00:50:57 . 2010-05-09 00:50:57 -------- d-----w- C:\Program Files\PIXELA
2010-05-09 00:50:47 . 2010-05-09 00:50:47 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-05-08 03:25:33 . 2010-05-08 03:41:15 -------- d-----w- C:\ProgramData\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 10:34:02 . 2009-12-27 02:23:38 -------- d-----w- C:\ProgramData\iolo
2010-05-27 11:03:59 . 2010-04-18 18:36:42 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-05-22 19:00:37 . 2009-12-29 12:24:31 -------- d-----w- C:\Program Files\Vuze
2010-05-12 15:21:16 . 2009-12-26 21:38:53 221568 ------w- C:\Windows\system32\MpSigStub.exe
2010-05-12 07:02:43 . 2006-11-02 11:18:33 -------- d-----w- C:\Program Files\Windows Mail
2010-05-08 03:41:53 . 2009-12-27 23:37:40 -------- d-----w- C:\Program Files\DivX
2010-05-08 03:38:41 . 2009-12-27 23:45:16 -------- d-----w- C:\Program Files\Common Files\PX Storage Engine
2010-05-08 03:35:24 . 2009-12-27 23:37:42 -------- d-----w- C:\Program Files\Common Files\DivX Shared
2010-04-20 02:57:13 . 2010-04-20 02:57:13 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2010-04-14 01:33:58 . 2010-04-13 03:29:22 -------- d-----w- C:\ProgramData\Symantec
2010-04-13 03:29:42 . 2010-04-13 03:29:22 -------- d-----w- C:\ProgramData\Norton
2010-04-13 03:29:23 . 2010-04-13 03:29:22 -------- d-----w- C:\Program Files\Norton Security Scan
2010-04-13 03:29:01 . 2010-04-13 03:29:01 -------- d-----w- C:\ProgramData\NortonInstaller
2010-04-13 03:29:01 . 2010-04-13 03:29:01 -------- d-----w- C:\Program Files\NortonInstaller
2010-04-04 23:50:21 . 2010-01-24 13:44:23 -------- d-----w- C:\ProgramData\UAB
2010-03-05 14:01:02 . 2010-04-15 01:12:33 420352 ----a-w- C:\Windows\system32\vbscript.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47:00 333192 ----a-w- C:\Program Files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 17:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 17:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 04:28:04 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-21 02:33:00 1008184]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 12:43:42 604704]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2009-12-09 15:26:02 346040]
"Windows Mobile-based device management"="C:\Windows\WindowsMobile\wmdSync.exe" [2008-01-21 02:32:50 215552]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 22:46:36 1135912]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Camera Monitor SD.lnk - C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-5-8 541976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:8e,ed,b6,e6,f7,86,ca,01

R3 rt61x86;RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2008-11-26 18:51:02 333824]
S1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\ElRawDsk.sys [2009-09-08 14:40:14 20392]
S2 AMP;AMP;C:\Windows\system32\DRIVERS\amp.sys [2009-10-28 22:25:42 122408]
S2 AMPSE;AMPSE;C:\Windows\system32\DRIVERS\ampse.sys [2009-10-28 22:25:40 1117224]
S2 ASKService;ASKService;C:\Program Files\AskBarDis\bar\bin\AskService.exe [2009-04-02 17:47:02 464264]
S2 ASKUpgrade;ASKUpgrade;C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 17:47:04 234888]
S2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2009-12-16 22:46:18 650160]
S2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2009-12-16 22:46:18 650160]
S2 vseamps;vseamps;C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [2009-10-28 22:11:26 92712]
S2 vsedsps;vsedsps;C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2009-10-28 22:11:32 117288]
S2 vseqrts;vseqrts;C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2009-10-28 22:11:34 113192]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 C:\Windows\Tasks\Norton Security Scan for craig.job
- C:\Program Files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-04-13 03:29:35 . 2010-04-29 04:04:28]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
LSP: C:\Windows\system32\iavlsp.dll
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SansaDispatch - C:\Users\craig\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
AddRemove-Sansa Updater - C:\Users\craig\AppData\Roaming\SanDisk\Sansa Updater\SansaUpdaterInstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 22:19:50
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = C:\Users\craig\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe?&t/??=&descri?/??n=&platf????&is-debug=&r????9????1???W???????2???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2275735899-2103511218-471657933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*f*o*@*Ïk)YÒc³Y1*0*!k_N
N Y-*s^•N¾}-*A~-NHr\OpenWithList]
@Class="Shell"
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-06-02 22:34:19 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 02:32:54

Pre-Run: 17,764,499,456 bytes free
Post-Run: 17,571,737,600 bytes free

- - End Of File - - AAE94A8A2B554B222B5DDA20D6D270B6

Attached Files



#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 03 June 2010 - 03:01 PM

Nice work finding the log thumbup2.gif

There is an easier way but don't worry, your way was cool.

At this point I must ask you about something showing on the PC

the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":



AskBarDis



Additional instructions can be found here if needed.



Next please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
RegLock::
[HKEY_USERS\S-1-5-21-2275735899-2103511218-471657933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*f*o*@*Ïk)YÒc³Y1*0*!k_N
N Y-*s^•N¾}-*A~-NHr\OpenWithList]


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#10 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 03 June 2010 - 10:29 PM

well...this has been rough evening.Followed instructions. When ran combfix got message iolo spyware running. Looked at processes and applications, could not see anything, maybe related to hxxp iolo entry in last log. Then got message that update for comfix was available and do I want to download. said no. Then another messgae saying comfix program I had was not valid or something like that and that I needed to download newer version from http://download.bleepingcomputer.com/sUBs/CombFix.exe or http://www.forospyware.com/uSBs/ComboFix.exe. I 'Xed' out of this window. Program ran, rebooted,ran again. CombFix text file ended up in folder c:\comfix.exe1172c. Had a terrible time trying to put on CD or cut/paste. Kept trying various versions of security settings and assigning prevelidges but I don't really know what I'm doing. Looking for users and groups, some with my name as admin, others not. Nothing worked. Finally assigned rights to Everyone - can't even remember how I got to that screen. Didn't work so rebooted. Then amazingly was able to cut/paste to desktop. Still had trouble getting to CD. Ended up inserting new CD and dragged file to CD drive and ...presto...wrote file which is attached. Was to send earlier but think your site was down.

Anyway - here is file below and attached. Changed name of file in all iterations I was trying to get copied.

thanks - Craig


ComboFix 10-06-02.02 - craig 06/03/2010 20:11:00.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1023.430 [GMT -4:00]
Running from: C:\Users\craig\Desktop\comfix.exe\comfix.exe.exe
Command switches used :: C:\Users\craig\Desktop\comfix.exe\CFScript.txt.txt
AV: iolo System Shield *On-access scanning enabled* (Updated) {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.
PEV Error: AppFile
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\craig\AppData\Roaming\64dlls.exe
C:\Users\craig\AppData\Roaming\intel64.exe
C:\Users\craig\AppData\Roaming\localsys64.exe
C:\Users\craig\AppData\Roaming\ntos.exe
C:\Users\craig\AppData\Roaming\oembios.exe
C:\Users\craig\AppData\Roaming\sdra64.exe
C:\Users\craig\AppData\Roaming\sdra73.exe
C:\Users\craig\AppData\Roaming\swin32.exe
C:\Users\craig\AppData\Roaming\twex.exe
C:\Users\craig\AppData\Roaming\twext.exe
C:\Users\craig\AppData\Roaming\wsnpoema.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
.
---- Previous Run -------
.
C:\divE62E.tmp
C:\Thumbs.db
C:\Users\craig\AppData\Roaming\64dlls.exe
C:\Users\craig\AppData\Roaming\intel64.exe
C:\Users\craig\AppData\Roaming\localsys64.exe
C:\Users\craig\AppData\Roaming\ntos.exe
C:\Users\craig\AppData\Roaming\oembios.exe
C:\Users\craig\AppData\Roaming\sdra64.exe
C:\Users\craig\AppData\Roaming\sdra73.exe
C:\Users\craig\AppData\Roaming\swin32.exe
C:\Users\craig\AppData\Roaming\twex.exe
C:\Users\craig\AppData\Roaming\twext.exe
C:\Users\craig\AppData\Roaming\wsnpoema.exe
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://download.iolo.net
hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-04 00:33:51 . 2010-06-04 00:33:51 -------- d-----w- C:\Users\Default\AppData\Local\temp
2010-06-03 00:50:34 . 2010-06-03 00:50:36 -------- d-----w- C:\comfix.exe
2010-05-28 01:17:09 . 2010-05-28 01:17:09 -------- d-----w- C:\Program Files\Trend Micro
2010-05-28 01:01:28 . 2010-05-28 10:34:01 -------- d-----w- C:\iolo
2010-05-26 01:23:11 . 2010-04-23 14:13:55 2048 ----a-w- C:\Windows\system32\tzres.dll
2010-05-11 22:17:39 . 2010-01-29 15:40:03 738816 ----a-w- C:\Windows\system32\inetcomm.dll
2010-05-09 00:56:55 . 2010-05-09 00:56:55 -------- d-----w- C:\ProgramData\PIXELA
2010-05-09 00:50:57 . 2010-05-09 00:50:57 -------- d-----w- C:\Program Files\PIXELA
2010-05-09 00:50:47 . 2010-05-09 00:50:47 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-05-08 03:25:33 . 2010-05-08 03:41:15 -------- d-----w- C:\ProgramData\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-28 10:34:02 . 2009-12-27 02:23:38 -------- d-----w- C:\ProgramData\iolo
2010-05-27 11:03:59 . 2010-04-18 18:36:42 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-05-22 19:00:37 . 2009-12-29 12:24:31 -------- d-----w- C:\Program Files\Vuze
2010-05-12 15:21:16 . 2009-12-26 21:38:53 221568 ------w- C:\Windows\system32\MpSigStub.exe
2010-05-12 07:02:43 . 2006-11-02 11:18:33 -------- d-----w- C:\Program Files\Windows Mail
2010-05-08 03:41:53 . 2009-12-27 23:37:40 -------- d-----w- C:\Program Files\DivX
2010-05-08 03:38:41 . 2009-12-27 23:45:16 -------- d-----w- C:\Program Files\Common Files\PX Storage Engine
2010-05-08 03:35:24 . 2009-12-27 23:37:42 -------- d-----w- C:\Program Files\Common Files\DivX Shared
2010-04-20 02:57:13 . 2010-04-20 02:57:13 0 ---ha-w- C:\Windows\system32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2010-04-14 01:33:58 . 2010-04-13 03:29:22 -------- d-----w- C:\ProgramData\Symantec
2010-04-13 03:29:42 . 2010-04-13 03:29:22 -------- d-----w- C:\ProgramData\Norton
2010-04-13 03:29:23 . 2010-04-13 03:29:22 -------- d-----w- C:\Program Files\Norton Security Scan
2010-04-13 03:29:01 . 2010-04-13 03:29:01 -------- d-----w- C:\ProgramData\NortonInstaller
2010-04-13 03:29:01 . 2010-04-13 03:29:01 -------- d-----w- C:\Program Files\NortonInstaller
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 17:47:00 333192 ----a-w- C:\Program Files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 17:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "C:\Program Files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 17:47:00 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2009-04-11 04:28:04 1233920]
"SansaDispatch"="C:\Users\craig\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-21 02:33:00 1008184]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 12:43:42 604704]
"iolo Startup"="C:\Program Files\iolo\Common\Lib\ioloLManager.exe" [2009-12-09 15:26:02 346040]
"Windows Mobile-based device management"="C:\Windows\WindowsMobile\wmdSync.exe" [2008-01-21 02:32:50 215552]
"DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 22:46:36 1135912]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Camera Monitor SD.lnk - C:\Program Files\PIXELA\Everio MediaBrowser\MBCameraMonitor.exe [2010-5-8 541976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:8e,ed,b6,e6,f7,86,ca,01

R3 rt61x86;RT61 Wireless Driver for Windows Vista;C:\Windows\system32\DRIVERS\netr61.sys [2008-11-26 18:51:02 333824]
S1 ElRawDisk;ElRawDisk;C:\Windows\system32\drivers\ElRawDsk.sys [2009-09-08 14:40:14 20392]
S2 AMP;AMP;C:\Windows\system32\DRIVERS\amp.sys [2009-10-28 22:25:42 122408]
S2 AMPSE;AMPSE;C:\Windows\system32\DRIVERS\ampse.sys [2009-10-28 22:25:40 1117224]
S2 ASKService;ASKService;C:\Program Files\AskBarDis\bar\bin\AskService.exe [2009-04-02 17:47:02 464264]
S2 ASKUpgrade;ASKUpgrade;C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 17:47:04 234888]
S2 ioloFileInfoList;iolo FileInfoList Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2009-12-16 22:46:18 650160]
S2 ioloSystemService;iolo System Service;C:\Program Files\iolo\common\lib\ioloServiceManager.exe [2009-12-16 22:46:18 650160]
S2 vseamps;vseamps;C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [2009-10-28 22:11:26 92712]
S2 vsedsps;vsedsps;C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [2009-10-28 22:11:32 117288]
S2 vseqrts;vseqrts;C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [2009-10-28 22:11:34 113192]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 C:\Windows\Tasks\Norton Security Scan for craig.job
- C:\Program Files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-04-13 03:29:35 . 2010-04-29 04:04:28]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
LSP: C:\Windows\system32\iavlsp.dll
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = C:\Users\craig\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe?&t/??=&descri?/??n=&platf????&is-debug=&r????9????1???W???????2???????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2275735899-2103511218-471657933-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*i*n*f*o*@*Ïk)YÒc³Y1*0*!k_N
N Y-*s^•N¾}-*A~-NHr\OpenWithList]
@Class="Shell"
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\SOUNDMAN.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2010-06-03 20:55:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-04 00:53:52

Pre-Run: 15,955,316,736 bytes free
Post-Run: 15,825,846,272 bytes free

- - End Of File - - 18229F9B30562B841195DAD78873B7BD

Attached Files

  • Attached File  file.txt   10.13KB   9 downloads


#11 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 03 June 2010 - 10:46 PM

also ran control panel- add/remobve programs and askbar didn't show up so ran Combfix. Then was looking at log and see refernce to askbar in c:\programs\askbar. opened folder and there was an uninstall icon so clicked that and says program now uninstalled.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 04 June 2010 - 05:13 PM

Please update Combofix if it asks you to in the future. thumbup2.gif

Is Iolo something that you installed or not?
Posted Image
m0le is a proud member of UNITE

#13 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 04 June 2010 - 06:25 PM

iolo is company that does System Mechanic Professional 8.0 ( http://iolo.com/system-mechanic/pro/)- the virus program I had installed which I think has been hijacked.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:29 AM

Posted 04 June 2010 - 07:38 PM

Unlikely that it has been hijacked but it may be struggling under the weight of the infection.

Please uninstall the program, we will replace it at the end of the fix.

While we're removing programs, please read this about the Ask bar

the Ask toolbar is not recommended. This toolbar enhances internet browsing and provides a direct link to the "ask.com" search engine. This program is not known to be bundled with spyware - The company strongly denies the toolbar as being malware.

Please read why it might be good to remove it here.

If you choose to remove it then follow the instructions below.

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick (or right-click, if you are using Vista) the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":



AskBarDis



Additional instructions can be found here if needed.


Please run Combofix again

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#15 castrique

castrique
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 04 June 2010 - 07:42 PM

ok - will try. will click OK on update window for Combfix




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users