Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


antispyware soft

  • This topic is locked This topic is locked
10 replies to this topic

#1 egstern1


  • Members
  • 19 posts
  • Gender:Male
  • Local time:02:32 PM

Posted 15 June 2010 - 07:11 AM

I'm posting here after being directed from http://www.bleepingcomputer.com/forums/t/324177/antispyware-soft-residual-problems-after-removal/

I mostly run linux but my children run Windows. My son picked up an infection with the Antispyware soft rogue spyware/scareware virus. I was able to remove most of it with MalwareBytes and removing the startup programs and bad registry entries. I also removed the bad proxy entry. So now I can mostly use the internet, but there are still problems. When I try to run Windows Update, Internet Explorer says the page is cannot be displayed. When I go to windowsupdate.microsoft.com with the Firefox browser, it says that the connection was reset. When I go there from an uninfected machine I get a message from Microsoft to use Internet Explorer with ActiveX turned on, so I know the virus is blocking things at a low level. I can get to other microsoft.com sites, just not ones that seem related to updates. Other weird network things also occur. When I am doing a google search for virus information I will get hits from many sites, such as bleepingcomputer.com. If I hover over the link, it shows the correct URL. If I right-click on the link to open it in a new tab, it sends me to some other unrelated garbage site. If I right-click and copy the link location and paste it into the URL bar in a new tab, I get to the correct spot. It is very weird that I'm having problems with both IE and Firefox.

I have reset all the settings in IE without any resolution. I have checkecd the network settings for DNS and gateway. There is no firewall running. The hosts file is clean and LMhosts is not activated. I have looked through the settings in Firefox but I don't see anything that would be likely to cause this. I have dumped the registry and looked through it for anything that looks suspiciously like it is blocking part of the microsoft domain but I didn't see anything.

The Windows update problems occur in a newly created user account and also in safe mode. The firefox problems happen even with a fresh profile.

The system is Windows XP Professional 32 bit SP3.

I successfully ran DDS, logs are attached below. Running GMER, after three hours the desktop was stuck on the wallpaper with no icons, start menu or taskbar. The arrow followed the mouse but the system was unresponsive to pressing the Windows key and ctrl-alt-delete. There was still obvious disk activity. After 10 hours there was no longer any obvious disk activity. The system did respond to ping on the network. I had to reset it to get back to something that listened to me.

My attempt to post directly from the infected system was blocked with the "the connection was reset" error so I copied the log files to a flash drive and am posting from a different system.

The DDS log is below. Any help would be welcome. Thanks.


DDS (Ver_10-03-17.01) - NTFSx86

Run by Eric at 20:34:25.29 on Mon 06/14/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1585 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs





C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc







C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Eric\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\eric\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [SkyTel] SkyTel.EXE

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe


mRun: [Alcmtr] ALCMTR.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231083658281

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

TCP: {D008AEC3-AC86-48B1-B8B1-76362DA1FE8E} =,

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eric\applic~1\mozilla\firefox\profiles\trjl57ij.default\

FF - plugin: c:\documents and settings\eric\local settings\application data\google\update\\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}


c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

=============== Created Last 30 ================

2010-06-15 01:33:17 0 ----a-w- c:\documents and settings\eric\defogger_reenable

2010-06-13 23:58:14 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys

2010-06-04 05:24:07 0 d-sh--w- c:\documents and settings\eric\IECompatCache

2010-06-02 23:05:21 0 d--h--w- c:\windows\system32\GroupPolicy

2010-05-31 01:29:38 0 d-----w- c:\program files\Trend Micro

2010-05-31 01:09:00 0 d-sh--w- c:\documents and settings\eric\PrivacIE

2010-05-29 02:14:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-29 02:14:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-29 02:14:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-29 02:14:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

============= FINISH: 20:35:41.81 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 20 June 2010 - 06:23 PM

Hi egstern1,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#3 egstern1

  • Topic Starter

  • Members
  • 19 posts
  • Gender:Male
  • Local time:02:32 PM

Posted 20 June 2010 - 08:54 PM

I have not modified anything on that system since posting. It remains as I left it. The Windows Update web site is blocked for both Internet Explorer and Firefox. Clicking on search results returned from by google sends me to bogus advertisement web sites.


#4 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 21 June 2010 - 01:23 AM

  1. Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    Run GMER, uncheck all boxes except the box next to Sections (C drive should remain checked), click Scan.
    When it finished press Save to save the log and post it to your reply. It will not take more than a minute.

  2. Please download MBR.EXE by GMER. Save the file in your Windows directory (C:\Windows).

    Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:

    @echo off
    if exist mbr.log del mbr.log
    mbr.exe -t
    ping -n 1 -w 1000 >nul
    start mbr.log

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.

#5 egstern1

  • Topic Starter

  • Members
  • 19 posts
  • Gender:Male
  • Local time:02:32 PM

Posted 21 June 2010 - 06:57 AM

Thanks for your help.

This is the log from GMER:

GMER - http://www.gmer.net
Rootkit scan 2010-06-21 06:53:39
Windows 5.1.2600 Service Pack 3
Running: 1bmy92gf.exe; Driver: C:\DOCUME~1\Eric\LOCALS~1\Temp\kgriyfog.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\System32\drivers\afd.sys entry point in ".rsrc" section [0xA8135C94]
? C:\DOCUME~1\Eric\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1160] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1160] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1160] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F2000A
.text C:\WINDOWS\Explorer.EXE[1540] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1540] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[1540] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2308] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2308] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\System32\drivers\afd.sys suspicious modification

---- EOF - GMER 1.0.15 ----

And this is the log for MBR:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89F70EC5]<<
kernel: MBR read successfully
user & kernel MBR OK

#6 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 21 June 2010 - 07:54 AM

  1. We are going to run this special tool.
    • Please download TDSSKiller.exe and save it to your desktop.
    • Run TDSSKiller.exe.
    • When it finished press any key to continue.
    • Let reboot if needed and tell me if it needed a reboot.
    • Also it makes a txt file on the C:\ directory (like TDSSKiller. Please attach it to your replay.

  2. Tell me also if the issues are resolved.

#7 egstern1

  • Topic Starter

  • Members
  • 19 posts
  • Gender:Male
  • Local time:02:32 PM

Posted 22 June 2010 - 11:13 AM

I ran the TDSSKiller application. It said it found and removed an infection in afd and rebooted. I can now get to Windows Update and my first pass at doing google search seemed to work correctly. The TDSSKiller log file is attached. Thank you very much.


Attached Files

#8 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 22 June 2010 - 12:48 PM

The rootkit is indeed taken care of. thumbup2.gif
  1. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Download JavaRa from Javara for Java update or directly from here.
    Use the tool to remove old and redundant versions of the Java Runtime Environment. The latest version is Java 6 update 20. Please uninstall any remaining versions if the tool could not uninstall them (look for any entry on Add/Remove that contains Java, JRE or Java Run Time), they are:

    Java™ 6 Update 17
    Java™ 6 Update 2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6

  2. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

  4. Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt

#9 egstern1

  • Topic Starter

  • Members
  • 19 posts
  • Gender:Male
  • Local time:02:32 PM

Posted 24 June 2010 - 06:45 AM

I removed the old Java as requested and updated to the latest version. I downloaded and ran the cleaner tool you recommended. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

Database version: 4232

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/24/2010 6:30:27 AM
mbam-log-2010-06-24 (06-30-27).txt

Scan type: Quick scan
Objects scanned: 137793
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I am attaching the dds log

Thank you very much for your help.


Attached Files

  • Attached File  DDS.txt   7.41KB   5 downloads

#10 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 24 June 2010 - 06:54 AM

First of all thank you for the donation. smile.gif

It looks good but I strongly recommend doing the following:
  1. You are missing one important program on that computer: An antivirus.
    This is somewhat suicidal in today's digital world.
    You need to install an antivirus program as soon as you can. I recommend this good free antivirus:

    • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
    • You may run a full scan too after doing the rest of the steps.

  2. You may delete any tool or log we used from your computer.

  3. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

  1. I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.

  2. I recommend installing this small application for safe surfing: Javacoolsİ SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
    • Download and install it.
    • Update it manually by clicking on Updates in the left pane and then Check for Updates.
    • Then enable all the protections by clicking on Protection Status on the left pane. Then click on Enable All Protection.
    • The free version doesn't have an automatic update. Update it once in two or three weeks and enable all protection again.

Happy Surfing egstern1. smile.gif

#11 Farbar


    Just Curious

  • Security Developer
  • 21,730 posts
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:32 PM

Posted 29 June 2010 - 02:53 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users