Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-malware Doc(tor) and Defence Center infections


  • This topic is locked This topic is locked
5 replies to this topic

#1 Sretsam

Sretsam

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 11 July 2010 - 06:07 AM

Hi folks. Helping a friend out with their computer, and having some trouble. Since I've been using linux for the last few years, I'm not entirely up to date on the best malware removers.
These programs keep popping up wanting her to subscribe to get protection. Obvious fakes, but, I've run deep scans with Ad-aware, AVG, and Malware-Bytes, and every time something seems to remain, and everything comes back on a restart. Also, getting repeated popups asking to debug a script, and whenever I go into the debugger it's doing something in mouse events, but having no object when one is expected.
Any help greatly appreciated, and DDS.txt below. Thank you in advance.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Silky at 0:56:47.35 on Sun 07/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1296 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rosewill\Common\RegistryWriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Nero\Nero8\InCD\InCD.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\dllhost.exe
C:\Users\Silky\Local Settings\Application Data\LClock\lclock.exe
C:\WINDOWS\system32\visualtasktips.exe
C:\WINDOWS\system32\ultdrvmon.exe
C:\Program Files\Rosewill\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\TEMP\cd119ac4.tmp
C:\Program Files\Firefox\firefox.exe
C:\Users\Silky\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: UIHost=%SystemRoot%\System32\ultlogonui.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: QT TabBar: {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll
TB: QT Tab Standard Buttons: {d2bf470e-ed1c-487f-a666-2bd8835eb6ce} - mscoree.dll
TB: QT Breadcrumbs Address Bar: {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [070700Setup.exe] c:\users\silky\application data\d51e7cc1bc1666a9b5c2338be44eff5d\070700Setup.exe
uRun: [Defense Center] "c:\program files\defense center\defcnt.exe" -noscan
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [UltimateServices] c:\windows\system32\ultsvcs.exe /startup
mRun: [InCD] c:\program files\nero\nero8\incd\InCD.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\newerversion.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\users\alluse~1\startm~1\programs\startup\rosewi~1.lnk - c:\program files\rosewill\common\RaUI.exe
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\silky\applic~1\mozilla\firefox\profiles\altmiiaw.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-10 64288]
R0 ViBus;ViBus;c:\windows\system32\drivers\ViBus.sys [2009-11-8 16896]
R0 ViPrt;VIA SATA IDE Device Driver;c:\windows\system32\drivers\ViPrt.sys [2009-11-8 52224]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-12-16 21144]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-8 108552]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2009-11-8 13696]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-11-8 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-11-8 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1228208]
R2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\rosewill\common\RegistryWriter.exe [2010-7-7 185632]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-7-7 719616]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 RAPIProtocol;Ralink RAPI Protocol Driver;c:\windows\system32\drivers\RAPIProtocol.sys [2010-7-7 16512]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 594048]
S4 khnjj;khnjj;c:\windows\system32\drivers\ldnau.sys [2010-7-9 54016]
S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-6-10 53032]

=============== Created Last 30 ================

2010-07-11 03:16:11 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-10 20:36:38 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-10 19:28:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-10 19:27:11 0 d-----w- c:\program files\Lavasoft
2010-07-10 04:41:39 54016 ----a-w- c:\windows\system32\drivers\ldnau.sys
2010-07-10 01:23:26 2590 ----a-w- c:\windows\lsrslt.ini
2010-07-10 01:16:09 0 d-----w- c:\program files\CCleaner
2010-07-10 01:15:47 0 dc-h--w- c:\users\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-07-09 01:50:42 0 d-----w- c:\program files\Defense Center
2010-07-09 01:45:47 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-09 00:46:29 2716 ----a-w- c:\windows\uxenomozolo.dll
2010-07-09 00:44:30 766464 ----a-w- c:\windows\system32\drivers\qxsztfn.sys
2010-07-09 00:44:03 0 d-----w- c:\users\silky\applic~1\D51E7CC1BC1666A9B5C2338BE44EFF5D
2010-07-08 01:26:51 315510 ----a-w- c:\windows\system32\RAPI.dll
2010-07-08 01:26:51 200704 ----a-w- c:\windows\system32\ssleay32.dll
2010-07-08 01:26:51 16512 ----a-w- c:\windows\system32\drivers\RAPIProtocol.sys
2010-07-08 01:26:51 1093632 ----a-w- c:\windows\system32\libeay32.dll
2010-07-08 01:26:47 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-07-08 01:26:45 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2010-07-08 01:26:32 719616 ----a-w- c:\windows\system32\drivers\rt2870.sys
2010-07-08 01:26:32 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2010-07-08 01:26:30 13931 ----a-w- c:\windows\system32\RaCoInst.dat
2010-07-08 01:26:30 0 d-----w- c:\users\alluse~1\applic~1\Rosewill Driver
2010-07-08 01:26:30 0 d-----w- c:\program files\Rosewill
2010-07-08 00:59:33 0 d-----w- c:\program files\Cisco Systems
2010-07-08 00:57:32 0 d-----w- c:\users\alluse~1\applic~1\Cisco Systems
2010-07-02 19:26:07 0 d-----w- c:\users\silky\applic~1\NeroDigital™
2010-06-30 04:09:35 0 d-----w- c:\program files\VideoLAN
2010-06-27 06:13:24 0 d-----w- c:\users\alluse~1\applic~1\Blizzard Entertainment
2010-06-23 04:14:06 0 d-----w- c:\program files\Belkin
2010-06-23 04:13:40 0 d-----w- c:\windows\{3BDEAF49-D872-415F-919C-A2CCC962D8AE}
2010-06-14 19:09:46 1627741 ----a-w- C:\IMG.jpg

==================== Find3M ====================

2010-05-31 01:36:58 4376096 ----a-w- c:\program files\BullzipPDFPrinter_7_1_0_1195.exe
2010-05-31 01:36:28 135168 ----a-w- c:\windows\system32\bzpdfc.dll
2010-05-25 05:13:30 196096 ----a-w- c:\windows\system32\bzpdf.dll
2010-05-13 00:41:16 87608 ----a-w- c:\users\silky\applic~1\inst.exe
2010-05-13 00:41:16 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-05-13 00:41:16 47360 ----a-w- c:\users\silky\applic~1\pcouffin.sys
2010-05-13 00:40:18 13864888 ----a-w- C:\DVDFab7040_avangate-2158.exe
2009-11-21 04:00:13 10277728 ----a-w- c:\program files\winamp556_full_emusic-7plus_en-us.exe
2009-11-12 05:32:51 10420936 ----a-w- c:\program files\xlviewer.exe
2009-11-10 07:25:33 14436216 ----a-w- c:\program files\pidgin-2.6.3.exe
2009-11-09 02:23:02 289584 ----a-w- c:\program files\utorrent.exe
2008-01-22 03:51:13 121 ---ha-w- c:\program files\desktop.ini
2009-11-08 22:44:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009110820091109\index.dat

============= FINISH: 0:58:12.92 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:19 PM

Posted 14 July 2010 - 06:58 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 Sretsam

Sretsam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 15 July 2010 - 01:27 AM

Hello there. I'm here, and I'm subscribed, however, due to the lack of response, I have done some more work on this, and the state of the computer may have changed and I will not have access to it until Friday.
After various deep scans, and installing F-scan, things seem significantly better, and the problem may have been resolved. If you'd like you can close this temporarily, and if the problem persists, I can do new scans and post a new topic, or ask you to re-open this one with new scans.
Thank you again for attempting to help, and sorry for the impatience on my part.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:19 PM

Posted 15 July 2010 - 04:47 PM

I will hold this for five days. Let me know what you want to do, I would need new DDS and Gmer logs if you want to continue with the topic. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 Sretsam

Sretsam
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 19 July 2010 - 02:39 AM

Computer is having no issues at this point. Feel free to lock or remove topic. Thank you again for the help.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:19 PM

Posted 19 July 2010 - 01:59 PM

Thanks for letting me know, I am closing this topic.

-------------------------------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users