Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue security program, Need help.


  • Please log in to reply
24 replies to this topic

#1 BenGough1992

BenGough1992

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 22 June 2010 - 10:00 PM

I have been told to create a new topic in this forum from another topic, this topics link is below
http://www.bleepingcomputer.com/forums/ind...p;#entry1811961

(Here is what I have said so far)
I have recently got an email from my friend saying that I could get some free iTunes voucher codes. so I opened the program while using AVG 9.0, My computer then changed its theme to the windows 98 theme. and started to shut down but I went into the Run tool and aborted the shutdown.

I then scanned with avg for viruses but I had no luck, so I installed Avast 5 then uninstalled AVG.
Avast found 7 Infected files then I deleted them and was told to restart, so I did and everything was as normal.
But then Windows was asking to update so I did but 3 security updates failed(Those 3 updates were the only ones there).

While I was trying to find out why Windows Update was not working random pop-ups opened every so often. Some of the websites tried to download Viruses on opening but others were just scams. Avast stopped the viruses from downloading immediately. I then ran a boot scan with Avast and found 3 Infected Files(Deleted).

Then more pop-ups opened more frequently and many websites on Google.com were redirected to the same websites as the pop-ups. I was then told to get Malwarebytes Anti-Malware, this program found 5 infected files(Deleted).


Pop-up Examples
hxxp://cndot.net/?xurl=http://hytr81zz02.com/RKL2oxJe6w6qwGo093f67c7b910289f036f95a2a1501b0eb06c&xref=http://cndot.net/search.php

hxxp://currenteliminator.com/?xurl=http://hytr81zz02.com/KZN1pyLD734jSDs00f9dc06b876dfed7e9af4960fd05b80315g&xref=http://currenteliminator.com/search.php

I don't get any virus warnings but I still cannot access updates and I still get pop-ups(No Google.com Redirecting).

Another problem is with shortcuts, they simply don't work. I click on any shortcut and nothing happens. and when I install programs there is a folder in the start menu but not links inside.
I have found a suspicious program running in the Task manager "ifCG0Vq5.exe" Keeps opening randomly
Unable to Hibernate the computer.


Think thats all I need to say at the moment, but if not just say and i will provide with more info smile.gif Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 24 June 2010 - 12:59 PM

will anyone help?

EDIT: Please be patient. There are over 290 unanswered topics in this forum at present at the current average wait time to receive help is 7 days. ~BP

Edited by Budapest, 24 June 2010 - 04:39 PM.


#3 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 27 June 2010 - 07:14 AM

hi BenGough1992,

If you still need help you can download and post a DDS log:

Please download DDS and save it to your desktop.
Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Please Copy/paste both logs in your reply.

How Can I Reduce My Risk to Malware?


#4 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 27 June 2010 - 10:08 PM

Her are the two reports smile.gif

Report 1

DDS (Ver_10-03-17.01) - NTFSx86
Run by Ben at 3:35:03.93 on 23/06/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1007.308 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
C:\WINDOWS\system32\DllHost.exe
G:\Games and Programs\Adobe Programs\Adobe Photoshop CS5\Photoshop.exe
C:\Documents and Settings\Ben\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {377D8121-EFAA-4D1C-981B-8BFAD9F10DE3} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-6 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-6 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-10-16 54752]
R2 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-15 304464]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-6 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-15 20952]
R3 MOSUMAC;USB-Ethernet Driver;c:\windows\system32\drivers\MOSUMAC.SYS [2010-2-5 41088]
S0 gebyox;gebyox;c:\windows\system32\drivers\efjjckxt.sys --> c:\windows\system32\drivers\efjjckxt.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-10-16 1684736]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2009-10-16 17149]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-12-7 1527900]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2010-2-2 49784]
S3 UPnPService;UPnPService;c:\program files\common files\magix shared\upnpservice\UPnPService.exe [2009-12-7 544768]
S3 WPRO_40_1340;WinPcap Packet Driver (WPRO_40_1340);c:\windows\system32\drivers\wpro_40_1340.sys --> c:\windows\system32\drivers\WPRO_40_1340.sys [?]

=============== Created Last 30 ================

2010-06-23 02:34:21 0 ----a-w- c:\documents and settings\ben\defogger_reenable
2010-06-22 22:11:59 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-22 22:11:59 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-22 22:11:58 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-06-22 22:11:57 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-06-22 22:11:56 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-06-22 22:11:54 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-06-22 22:11:51 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-06-22 22:11:47 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2010-06-22 14:52:33 40 ----a-w- c:\windows\popcinfot.dat
2010-06-21 01:30:54 0 d-----w- c:\program files\McAfee
2010-06-21 01:25:35 0 d-----w- c:\docume~1\ben\applic~1\LimeWire
2010-06-16 04:07:57 0 d-----w- C:\Windows Sounds
2010-06-16 03:59:00 0 d-----w- c:\windows\ShellNew
2010-06-15 07:44:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-15 07:44:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-15 07:44:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-15 02:04:04 0 ----a-w- C:\debug
2010-06-10 21:20:47 0 d-----w- c:\program files\CCleaner
2010-06-10 20:57:58 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-06-10 20:56:57 525568 -c--a-w- c:\windows\system32\dllcache\tridxp.dll
2010-06-10 20:55:57 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-06-10 20:54:59 26624 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2010-06-10 20:53:59 27904 -c--a-w- c:\windows\system32\dllcache\perm2.sys
2010-06-10 20:52:59 19968 -c--a-w- c:\windows\system32\dllcache\mxnic.sys
2010-06-10 20:51:59 48768 -c--a-w- c:\windows\system32\dllcache\maestro.sys
2010-06-10 20:50:57 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll
2010-06-10 20:49:59 68608 -c--a-w- c:\windows\system32\dllcache\hpgt53tk.dll
2010-06-10 20:48:59 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-06-10 20:47:59 614429 -c--a-w- c:\windows\system32\dllcache\digiview.exe
2010-06-10 20:46:58 49182 -c--a-w- c:\windows\system32\dllcache\cem56n5.sys
2010-06-10 20:45:59 871388 -c--a-w- c:\windows\system32\dllcache\bcmdm.sys
2010-06-10 20:44:10 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-06-10 20:44:09 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2010-06-10 20:44:08 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2010-06-10 20:44:07 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2010-06-10 20:44:07 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2010-06-10 20:44:06 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2010-06-10 20:44:06 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2010-06-10 20:44:05 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2010-06-10 20:44:04 61440 -c--a-w- c:\windows\system32\dllcache\acerscad.dll
2010-06-10 20:44:02 84480 -c--a-w- c:\windows\system32\dllcache\ac97via.sys
2010-06-10 20:44:02 297728 -c--a-w- c:\windows\system32\dllcache\ac97sis.sys
2010-06-10 20:44:01 96256 -c--a-w- c:\windows\system32\dllcache\ac97intc.sys
2010-06-10 20:43:59 23552 -c--a-w- c:\windows\system32\dllcache\abp480n5.sys
2010-06-10 20:43:59 231552 -c--a-w- c:\windows\system32\dllcache\ac97ali.sys
2010-06-10 20:43:58 98304 -c--a-w- c:\windows\system32\dllcache\a3d.dll
2010-06-10 20:43:58 462848 -c--a-w- c:\windows\system32\dllcache\a3dapi.dll
2010-06-10 20:43:57 38400 -c--a-w- c:\windows\system32\dllcache\8514a.dll
2010-06-10 20:43:56 48128 -c--a-w- c:\windows\system32\dllcache\61883.sys
2010-06-10 20:43:54 12288 -c--a-w- c:\windows\system32\dllcache\4mmdat.sys
2010-06-10 20:43:53 689216 -c--a-w- c:\windows\system32\dllcache\3dfxvs.dll
2010-06-10 20:43:53 148352 -c--a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2010-06-10 20:43:52 762780 -c--a-w- c:\windows\system32\dllcache\3cwmcru.sys
2010-06-10 20:43:52 11264 -c--a-w- c:\windows\system32\dllcache\1394vdbg.sys
2010-06-10 20:43:35 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-06-08 10:24:19 98816 ----a-w- c:\windows\sed.exe
2010-06-08 10:24:19 77312 ----a-w- c:\windows\MBR.exe
2010-06-08 10:24:19 256512 ----a-w- c:\windows\PEV.exe
2010-06-08 10:24:19 161792 ----a-w- c:\windows\SWREG.exe
2010-06-08 08:08:50 10196424 ----a-w- C:\windows-kb890830-v3.7.exe
2010-06-08 03:36:41 0 d-----w- c:\docume~1\ben\applic~1\Malwarebytes
2010-06-07 23:48:03 0 d-----w- c:\program files\Trend Micro
2010-06-07 13:56:59 70146 ----a-w- c:\docume~1\alluse~1\applic~1\ifCG0Vq5.exe
2010-06-07 12:44:13 112 ----a-w- c:\docume~1\alluse~1\applic~1\4xfodeh.dat
2010-06-06 22:09:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-06 19:52:19 0 d-----w- c:\program files\Canon
2010-06-06 19:43:33 0 d-----w- c:\docume~1\ben\applic~1\GetRightToGo
2010-06-06 19:34:00 215040 ----a-w- c:\windows\system32\CNMLM8T.DLL
2010-06-06 19:33:42 98304 ----a-w- c:\windows\system32\CNC220I.DLL
2010-06-06 19:33:42 200704 ----a-w- c:\windows\system32\CNC220L.DLL
2010-06-06 19:33:42 188416 ----a-w- c:\windows\system32\CNC220O.DLL
2010-06-06 19:33:42 1400832 ----a-w- c:\windows\system32\CNC220C.DLL
2010-06-06 19:28:32 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-06-06 19:28:32 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-06-04 08:34:44 0 d-----w- c:\docume~1\ben\applic~1\Earthsim
2010-06-03 07:49:04 89600 --sha-r- c:\windows\system32\msdatsrck.dll
2010-06-03 07:47:39 0 d-----w- c:\docume~1\ben\applic~1\3DC7A0B3E91D4CD7AD597FD97301C2BA

==================== Find3M ====================

2010-05-23 15:33:09 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-04-09 02:46:56 16608 ----a-w- c:\windows\gdrv.sys
2007-12-28 15:02:12 287232 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 14:59:30 342528 ----a-w- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 17:53:58 63488 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 17:52:44 32768 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 11:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 11:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 11:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 11:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 11:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2009-10-16 15:20:35 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 3:36:01.90 ===============



Report 2

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 15/10/2009 18:36:39
System Uptime: 22/06/2010 23:43:19 (4 hours ago)

Motherboard: Acer | | FC51PVG
Processor: AMD Sempron™ Processor 3500+ | Socket AM2 | 2009/201mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 82.977 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_0CE4105B&REV_A3\3&2411E6FE&0&51
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_10DE&DEV_0264&SUBSYS_0CE4105B&REV_A3\3&2411E6FE&0&51
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Other PCI Bridge Device
Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_0CE4105B&REV_A3\3&2411E6FE&0&A0
Manufacturer:
Name: Other PCI Bridge Device
PNP Device ID: PCI\VEN_10DE&DEV_0269&SUBSYS_0CE4105B&REV_A3\3&2411E6FE&0&A0
Service:

==== System Restore Points ===================

RP1: 21/06/2010 04:24:09 - System Checkpoint
RP2: 21/06/2010 04:24:09 - Software Distribution Service 3.0
RP3: 21/06/2010 04:24:08 - Software Distribution Service 3.0
RP4: 21/06/2010 04:24:08 - Software Distribution Service 3.0
RP5: 21/06/2010 04:24:08 - Software Distribution Service 3.0
RP6: 21/06/2010 04:24:08 - Software Distribution Service 3.0
RP7: 21/06/2010 04:24:07 - Software Distribution Service 3.0
RP8: 21/06/2010 04:24:07 - Software Distribution Service 3.0
RP9: 21/06/2010 04:24:07 - Software Distribution Service 3.0
RP10: 21/06/2010 04:24:06 - Software Distribution Service 3.0
RP11: 21/06/2010 04:23:58 - Software Distribution Service 3.0
RP12: 20/06/2010 10:26:47 - Software Distribution Service 3.0
RP13: 21/06/2010 12:51:46 - Software Distribution Service 3.0
RP14: 22/06/2010 12:52:15 - Software Distribution Service 3.0
RP15: 22/06/2010 23:11:43 - Installed DirectX
RP16: 22/06/2010 23:21:20 - Installed Windows XP WIC.
RP17: 22/06/2010 23:42:12 - Installed Windows XP KB954708.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Reader 9.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Assassin's Creed
Audacity 1.3.7
Audiosurf
avast! Free Antivirus
AviSynth 2.5
Bejeweled Twist
Bonjour
Call of Duty 4: Modern Warfare
Call of Duty: Modern Warfare 2
Canon MP Navigator EX 1.0
Canon MP220 series
Canon Utilities My Printer
CCleaner
City Life
Command and Conquer: Red Alert 3
Connect
Counter-Strike: Source
Counter-Strike: Source Beta
Crazy Machines
Crazy Machines 1.5 New from the Lab
D-Link VGA Webcam
D.I.P.R.I.P. Dev
Dance eJay 3 - Deinstallation
Darwinia
Diaper Dash
Diner Dash: Hometown Hero
DinerTown Tycoon
Fallout 2
Fallout 3
Fallout 3 - Game of the Year Edition
Fallout3
Family Feud
Firebird SQL Server - MAGIX Edition
FormatFactory 2.15
Fraps (remove only)
Geometry Wars: Retro Evolved
Google SketchUp Pro 7
Grand Theft Auto 2
Grand Theft Auto IV
Grand Theft Auto: San Andreas
Half-Life 2: Deathmatch
HiJackThis
Hospital Tycoon
Hotel Dash
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB976002-v5)
I-Fluid
iTunes
Java™ 6 Update 16
Junk Mail filter update
Just Cause 2
kuler
LAME v3.98.2 for Audacity
Left 4 Dead
Left 4 Dead 2
LimeWire 5.5.9
Locomotion
Magic DVD Ripper V5.4.2
MAGIX Goya burnR 1.3.1.3 (US)
MAGIX Music Maker 15 15.0.1.8 (US)
MAGIX Photo Manager 8 6.0.1.466 (US)
MAGIX Screenshare 4.3.6.1987 (US)
Major League Baseball 2K9
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Mufin MusicFinder Base 1.5.3.247 (UK)
NETGEAR WG111T 108Mbps Wireless USB2.0 Adapter
NETGEAR WG111v3 wireless USB 2.0 adapter
NoLimits Coasters Demo 1.6 (remove only)
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
Opera 10.53
Parking Dash
Peggle Deluxe
Photoshop Camera Raw
Plants vs. Zombies
Portal
Prison Tycoon 3: Lockdown
QuickTime
Realtek High Definition Audio Driver
RollerCoaster Tycoon 2
Security Update for Windows XP (KB923789)
Segoe UI
Source SDK
Source SDK Base
Spore
Steam
Suite Shared Configuration CS4
Team Fortress 2 Beta
Techno eJay 3 - Deinstallation
Text-To-Speech-Runtime
The Maw
Thrillville: Off the Rails
TmNationsForever
TmUnitedForever Update 2010-03-15
TrackMania United
Unreal Tournament
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
ValveTestApp15110
ValveTestApp3290
ValveTestApp4010
ValveTestApp7750 Beta
Vegas: Make It Big
Virtual CRASH 2.2
Virtual Families
VLC media player 1.0.2
WebFldrs XP
WhiteCap
Windows 7 Upgrade Advisor
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Format 11 runtime
WinImage
WinRAR archiver
YouTube Downloader 2.5.4

==== Event Viewer Messages From Past Week ========

21/06/2010 06:14:14, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
21/06/2010 04:20:19, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 2 time(s).
21/06/2010 04:18:29, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 2 time(s).
21/06/2010 04:11:28, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the McAfee VirusScan Announcer service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
21/06/2010 04:10:31, error: Service Control Manager [7034] - The McAfee Validation Trust Protection Service service terminated unexpectedly. It has done this 1 time(s).
21/06/2010 04:10:31, error: Service Control Manager [7034] - The McAfee Firewall Core Service service terminated unexpectedly. It has done this 1 time(s).
21/06/2010 04:10:31, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
21/06/2010 04:10:31, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
21/06/2010 04:10:31, error: Service Control Manager [7022] - The McAfee VirusScan Announcer service hung on starting.
21/06/2010 04:09:05, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McShield service to connect.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McShield service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The pipe state is invalid.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The pipe state is invalid.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McAfee Personal Firewall Service service failed to start due to the following error: The pipe state is invalid.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The pipe state is invalid.
21/06/2010 04:09:05, error: Service Control Manager [7000] - The McAfee Anti-Spam Service service failed to start due to the following error: The pipe state is invalid.
21/06/2010 03:24:09, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
21/06/2010 03:20:40, error: Service Control Manager [7022] - The McAfee Personal Firewall Service service hung on starting.
21/06/2010 03:12:55, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
21/06/2010 03:12:41, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
21/06/2010 03:10:26, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
21/06/2010 03:05:13, error: Service Control Manager [7023] - The McAfee Validation Trust Protection Service service terminated with the following error: The requested resource is in use.
21/06/2010 02:53:02, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
21/06/2010 01:53:00, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
21/06/2010 00:53:00, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
20/06/2010 23:53:00, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
20/06/2010 22:53:00, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
20/06/2010 21:53:00, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
20/06/2010 20:53:00, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
20/06/2010 16:53:00, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
20/06/2010 15:53:00, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
20/06/2010 14:53:00, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
20/06/2010 13:53:00, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
20/06/2010 12:53:00, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
20/06/2010 11:53:01, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
20/06/2010 10:53:00, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
19/06/2010 19:53:00, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
19/06/2010 18:53:00, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
19/06/2010 17:53:00, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
19/06/2010 15:43:49, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
19/06/2010 09:53:00, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
19/06/2010 08:53:00, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
19/06/2010 07:53:00, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
19/06/2010 06:53:00, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
19/06/2010 05:53:00, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
19/06/2010 05:30:56, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
16/06/2010 04:53:00, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
16/06/2010 04:22:02, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
16/06/2010 03:53:00, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402

==== End Of File ===========================


Thanks smile.gif


#5 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 28 June 2010 - 06:19 PM

ok. We will get a download to use. Its called combofix. There is a short guide to read first. Read the guide and apply the directions on your own machine. Post the combofix log:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#6 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 29 June 2010 - 07:12 PM

Here is the log, it did delete some things. Don't know if the problem is gone though. The shortcuts still don't work.

Attached Files



#7 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 29 June 2010 - 08:51 PM

ok good. Please check Malwarebytes for any updates and do a scan with it and post the log. Cruise around and see if the re-direction is gone.

click the MBAM icon on your desktop. Once the program has loaded, click the Update tab, then check for updates. Select Scanner tab, Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items. If prompted please chose yes to restart your computer.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
Once you are malware free we can try to fix the short cut problem.

How Can I Reduce My Risk to Malware?


#8 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 01 July 2010 - 08:24 AM

Here is the log, didn't find anything. But on one of the other users on my computer MBAM keeps blocking malicious websites/IP addresses. Don't know what that is.

Attached Files



#9 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 01 July 2010 - 08:38 PM

Let me get a better look at the combofix log you posted.

QUOTE
MBAM keeps blocking malicious websites/IP addresses

You sure thats MBAM. The activity you describe is a firewall.
It wont hurt to run TDSSkiller either:

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop. Double click to start, follow the prompts.

It will generate a .txt file in your root drive C: with the results, please post the log.

How Can I Reduce My Risk to Malware?


#10 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 02 July 2010 - 10:06 AM

Confused if that TDSS Killer done anything but anyhow the log is attached.

Attached Files



#11 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 02 July 2010 - 05:39 PM

hi,

TDSSkiller log is ok, it didnt remove anything. We will use combofix to remove a file.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

CODE
File::
c:\windows\system32\drivers\efjjckxt.sys

Driver::
gebyox


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log

How Can I Reduce My Risk to Malware?


#12 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 02 July 2010 - 07:55 PM

I think its done its job. It said it has used the command thing in the log, so that worked tongue.gif

Attached Files



#13 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 03 July 2010 - 03:18 PM

So hows it looking on your end now?

How Can I Reduce My Risk to Malware?


#14 BenGough1992

BenGough1992
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:24 PM

Posted 03 July 2010 - 05:53 PM

Well things seem ok, I can now access ms update. Many security updates shown up so I installed them. Now we might be able to fix the shortcuts smile.gif

I have noticed that an update wont install and when I turn off the computer to apply the updates it wont work(It says it does though)
The update that wont remove from the updates list is "Security Update for Windows XP (KB956744)"

Edited by BenGough1992, 03 July 2010 - 06:21 PM.


#15 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:05:24 PM

Posted 04 July 2010 - 08:50 AM

for the failed update: go back to windows update and on the left under options, look at "Review your update history"
Look through your history and click on the red x (failed)under status.
Write down and post the 'error code' number.
It could be a generic code and may be useless

If you right click on a sort cut and select properties then click on 'Find Target' does it open up the right program the short cut should be using?
for a short cut that dosnt work: delete it from the desktop then try creating a new one by going to start>programs find the program the short cut pointed to and create a new on by right clicking on it and dragging it to the desktop and select copy here.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users