Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.FakeAlert & Other Issues


  • This topic is locked This topic is locked
4 replies to this topic

#1 MelissaPleases

MelissaPleases

  • Members
  • 537 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Now in the Heartland of the USA
  • Local time:11:17 PM

Posted 26 December 2010 - 11:14 AM

As advised in THIS thread, here are the results of the instructions I was given for malware removal help. (The issue that led me to investigate for the presence of any malware is described in the first post of that thread):

1.) Ran MBAM scan again. I had the same results.
2.) Used MBAM to remove the threats that it had found. Here is the log of that process:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5391

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/26/2010 10:12:55 AM
mbam-log-2010-12-26 (10-12-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 297598
Time elapsed: 1 hour(s), 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C}
(Adware.WidgiToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (Adware.WidgiToolbar) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (Adware.WidgiToolbar) ->
Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted
successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (Adware.WidgiToolbar) ->
Value: {01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} (Adware.WidgiToolbar) -> Value:
{01398B87-61AF-4FFB-9AB5-1A1C5FB39A9C} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM\COMPONENTS
\WIDGITOOLBARFF.DLL (Adware.WidgiToolbar) -> Value: WIDGITOOLBARFF.DLL -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\dealio toolbar\IE\4.1\dealiotoolbarie.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\program files\common files\Spigot\wtxpcom\components\widgitoolbarff.dll (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\program files\dealio toolbar\widgihelper.exe (Adware.WidgiToolbar) -> Quarantined and deleted successfully.
c:\Windows\System32\secushr.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.



3.) Turned off CD emulators with DeFogger.
4.) Ran DDS. Here are the results of that scan:


DDS.txt:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Wolfy at 10:21:09.91 on Sun 12/26/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2430.1402 [GMT -5:00]

AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Roxio\BackOnTrack\App\SaibSVC.exe
C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
C:\Program Files\Application Updater\ApplicationUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Roxio\BackOnTrack\App\BService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
c:\program files\acesoft\tracks eraser pro\te.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
C:\Program Files\Roxio 2011\5.0\CPMonitor.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Opera\opera.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Users\Wolfy\Downloads\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;localhost
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\wolfy\appdata\roaming\flashgetbho\FlashGetBHO3.dll
BHO: : {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: N/A: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
uRun: [POP Peeper] "c:\program files\pop peeper\POPPeeper.exe" -min
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [googletalk] c:\users\wolfy\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [CPMonitor] "c:\program files\roxio 2011\5.0\CPMonitor.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [Ad Muncher] "c:\program files\ad muncher\AdMunch.exe" /bt
StartupFolder: c:\users\wolfy\appdata\roaming\micros~1\windows\startm~1\programs\startup\autoru~1\trillian.lnk - c:\program files\trillian\trillian.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\snsicon.lnk - c:\program files\second nature\Snsicon.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=38822848&id=menu_ie_frame
IE: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=38822848&id=menu_ie_image
IE: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=38822848&id=menu_ie_link
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=38822848&id=menu_ie_exclude
IE: Download All By FlashGet3 - c:\users\wolfy\appdata\roaming\flashgetbho\GetAllUrl.htm
IE: Download By FlashGet3 - c:\users\wolfy\appdata\roaming\flashgetbho\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=2.0&pass=38822848&id=menu_ie_report
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Trusted Zone: kuaiche.com\software
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Hosts: 0.0.0.0 localhost

================= FIREFOX ===================

FF - ProfilePath - c:\users\wolfy\appdata\roaming\mozilla\firefox\profiles\643exfqd.default\
FF - prefs.js: browser.startup.homepage - c:\\program files\\launchpad\\index.html
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=616163&p=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Ad Muncher Browser Extensions: {3ED591BC-7CC7-495B-A526-B2431356EDC1} - c:\program files\ad muncher\FirefoxExtension_2.0

============= SERVICES / DRIVERS ===============

R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2010-11-8 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2010-11-8 15856]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-12-19 165584]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2010-11-8 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\app\SaibSVC.exe [2009-6-2 457200]
R2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files\adobe\elements 9 organizer\PhotoshopElementsFileAgent.exe [2010-9-6 169408]
R2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2010-10-22 386560]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-12-19 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-12-19 50768]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-19 40384]
R2 BOT4Service;BOT4Service;c:\program files\roxio\backontrack\app\BService.exe [2010-7-14 32240]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2009-8-5 284016]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-12-19 40384]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2010-12-5 8192]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\13.0\sharedcom\RoxWatch13.exe [2010-7-16 354288]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-11-6 79360]
S3 RoxMediaDB13;RoxMediaDB13;c:\program files\common files\roxio shared\13.0\sharedcom\RoxMediaDB13.exe [2010-7-16 1099248]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-10 1343400]

=============== Created Last 30 ================

2010-12-25 02:28:27 -------- d-----w- c:\program files\Ad Muncher
2010-12-25 02:28:27 -------- d-----w- c:\progra~2\Ad Muncher
2010-12-25 01:35:24 -------- d-----w- c:\users\wolfy\appdata\roaming\Malwarebytes
2010-12-25 01:35:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 01:35:12 -------- d-----w- c:\progra~2\Malwarebytes
2010-12-25 01:35:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 01:35:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-22 16:54:06 -------- d-----w- c:\program files\TFC
2010-12-21 04:07:05 -------- d-----w- c:\users\wolfy\appdata\local\Opera
2010-12-21 03:40:45 -------- d-----w- c:\windows\system32\appmgmt
2010-12-20 19:15:18 -------- d-----w- c:\program files\Coupons
2010-12-19 11:38:50 50768 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-12-19 11:38:36 38848 ----a-w- c:\windows\avastSS.scr
2010-12-19 11:38:33 -------- d-----w- c:\progra~2\Alwil Software
2010-12-18 14:34:23 -------- d-----w- c:\windows\pss
2010-12-16 14:59:36 33104 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-12-16 14:59:35 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-12-15 12:25:21 516096 ----a-w- c:\program files\windows mail\wab.exe
2010-12-15 12:21:31 571904 ----a-w- c:\windows\system32\oleaut32.dll
2010-12-15 12:21:30 7680 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-12-15 12:21:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-15 12:20:03 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-07 05:27:10 -------- d-----w- c:\users\wolfy\appdata\local\{90AD5F89-B95E-4D06-8132-4851EA5F653D}
2010-12-07 05:26:54 -------- d-----w- c:\users\wolfy\Tracing
2010-12-07 05:18:16 -------- d-----w- c:\users\wolfy\appdata\roaming\Trillian
2010-12-07 04:59:29 3181568 ----a-w- c:\windows\system32\mf.dll
2010-12-07 04:59:29 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-12-07 04:59:28 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-12-07 04:58:08 -------- d-----w- c:\users\wolfy\appdata\local\Windows Live
2010-12-07 04:58:06 -------- d-----w- c:\program files\common files\Windows Live
2010-12-05 23:23:27 8192 ----a-w- c:\windows\system32\srvany.exe
2010-12-03 17:57:04 -------- d-----w- c:\program files\Conduit
2010-12-03 17:56:59 -------- d-----w- c:\program files\ConduitEngine
2010-12-03 17:56:54 -------- d-----w- c:\program files\BitTorrentBar
2010-11-28 19:13:43 -------- d-----w- C:\SWSetup
2010-11-28 18:50:55 -------- d-----w- C:\HP
2010-11-28 18:50:41 -------- d-----w- c:\users\wolfy\appdata\roaming\WinBatch
2010-11-28 14:14:21 -------- d-----w- c:\users\wolfy\appdata\roaming\FLEXnet
2010-11-28 14:14:20 -------- d-----w- c:\users\wolfy\appdata\roaming\Nuance
2010-11-28 13:57:23 -------- d-----w- c:\program files\Nuance
2010-11-28 13:57:23 -------- d-----w- c:\progra~2\Nuance
2010-11-28 13:49:59 833342 ----a-w- c:\windows\system32\regw2.exe

==================== Find3M ====================

2010-11-14 17:28:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-10 15:58:00 81920 ------r- c:\windows\bwUnin-6.1.4.68-8876480L.exe
2010-11-10 14:39:28 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-11-10 14:39:28 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-11-10 07:54:18 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-11-07 17:07:30 707682 ----a-w- c:\windows\system32\unins000.exe
2010-11-07 17:04:54 122763 ----a-w- c:\windows\File Renamer - Basic Uninstaller.exe
2010-11-06 16:00:15 0 ----a-w- c:\windows\ativpsrm.bin
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-11-02 04:41:12 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-02 04:40:36 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-02 04:39:32 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-02 04:34:44 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-10-20 04:54:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-20 02:58:41 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-10-19 15:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-16 04:41:02 101760 ----a-w- c:\windows\system32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- c:\windows\system32\webio.dll
2010-10-15 15:13:20 55576 ----a-w- c:\windows\system32\pxc40pm.dll

============= FINISH: 10:23:10.31 ===============


Attach.txt:

DDS (Ver_10-12-12.02)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2010 12:07:13 AM
System Uptime: 12/26/2010 10:16:59 AM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2A-VM
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4000+ | Socket AM2 | 2100/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 231 GiB total, 185.722 GiB free.
D: is FIXED (NTFS) - 186 GiB total, 93.114 GiB free.
E: is FIXED (NTFS) - 76 GiB total, 67.238 GiB free.
F: is CDROM ()
G: is Removable
H: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:

Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_1011&DEV_0019&SUBSYS_00012646&REV_41\4&35E69562&0&28A4
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1011&DEV_0019&SUBSYS_00012646&REV_41\4&35E69562&0&28A4
Service:

Class GUID:
Description:
Device ID: ACPI\AWY0001\2&DABA3FF&1
Manufacturer:
Name:
PNP Device ID: ACPI\AWY0001\2&DABA3FF&1
Service:

Class GUID:
Description:
Device ID: ROOT\LEGACY_PGFILTER\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_PGFILTER\0000
Service:

==== System Restore Points ===================

RP112: 12/25/2010 7:43:50 AM - Uninstalled with Total Uninstall "Mozilla Firefox (3.6.13)"

==== Installed Programs ======================

Ad Muncher v4.9 Build 32300
Adobe AIR
Adobe Community Help
Adobe Creative Suite 5 Master Collection
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop CS5
Adobe Photoshop.com Inspiration Browser
Adobe Premiere Elements 9
Adobe Reader 9.4.1
aiofw
aioprnt
aioscnnr
Alien Skin Snap Art
Amazon Kindle For PC v1.1
Ask Toolbar
avast! Free Antivirus
Belarc Advisor 8.1
BenVista PhotoZoom Pro 2.2.6
BitTorrent
BitTorrentBar Toolbar
Bloxxi version 1.01
Bonjour
Bryce 7.0
Bryce 7.0 Content
Bryce Lightning 7.0
calibre
CCleaner
center
Conduit Engine
Coupon Printer for Windows
Creative Audio Control Panel
Creative Software AutoUpdate
Creative Sound Blaster Properties
D3DX10
Dealio Toolbar v4.1
Directory Lister v0.9.1
DVD Shrink 3.2
DX-Ball 1.09
EASEUS Data Recovery Wizard Free Edition 5.0.1
EasyBCD 2.0
Elements 9 Organizer
Elements STI Installer
Eusing Free Registry Cleaner
ffdshow
File Renamer - Basic
FileZilla Client 3.3.5.1
FlashGet 3.3
GOM Player
Google Talk (remove only)
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 22
KODAK AiO Home Center
ksDIP
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Malwarebytes' Anti-Malware
Media Player Classic - Home Cinema v1.4.2499.0
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Mozilla Firefox (3.6.13)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Premium
neroxml
Notepad++
Opera 11.00
PDF-Viewer
PDF-XChange Lite 4
PDF Settings CS5
POP Peeper
Poser Pro 2010 Content
PowerISO
PreReq
Real Alternative 2.0.2
Roxio BackOnTrack
Roxio BackOnTrackPE
Roxio Burn - Secure
Roxio CinePlayer
Roxio CinePlayer Decoder Pack
Roxio Creator 2011 Pro
Roxio PhotoShow
Roxio Video Capture USB
Second Nature - Spring 2010
Security Update for CAPICOM (KB931906)
SmartSound Common Data
SmartSound Quicktracks 5
SmartSound Quicktracks for Premiere Elements 9.0
TagScanner 5.1 build 592
Total Uninstall 5.2.0
Tracks Eraser Pro v8.3 build 1000
TreeSize Free V2.5
Trillian
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking
VLC media player 1.1.5
Winamp
Winamp Detector Plug-in
Windows 7 Codec Pack 2.6.1
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WinRAR archiver
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

12/26/2010 10:18:38 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12/26/2010 10:18:38 AM, Error: Service Control Manager [7023] - The Windows Search service terminated with the following error: The process cannot access the file because it is being used by another process.
12/26/2010 10:18:02 AM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
12/26/2010 10:18:02 AM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-2147218173.
12/26/2010 10:17:52 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Roxio Hard Drive Watcher 12 service to connect.
12/25/2010 12:26:05 AM, Error: volsnap [35] - The shadow copies of volume D: were aborted because the shadow copy storage failed to grow.
12/22/2010 12:45:54 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The RPC server is unavailable. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
12/22/2010 12:45:53 PM, Error: Service Control Manager [7038] - The WerSvc service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The remote procedure call failed. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
12/22/2010 12:45:36 PM, Error: Service Control Manager [7034] - The Creative Audio Service service terminated unexpectedly. It has done this 1 time(s).
12/22/2010 11:55:33 AM, Error: Service Control Manager [7023] - The Windows Live ID Sign-in Assistant service terminated with the following error: %%-2147024891
12/22/2010 11:55:23 AM, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
12/22/2010 1:08:10 AM, Error: volsnap [35] - The shadow copies of volume C: were aborted because the shadow copy storage failed to grow.
12/20/2010 8:57:33 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
12/20/2010 11:04:00 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
12/20/2010 11:03:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
12/20/2010 11:03:27 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/20/2010 11:03:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
12/20/2010 11:03:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
12/19/2010 5:53:08 AM, Error: Service Control Manager [7024] - The Freenet background service service terminated with service-specific error Incorrect function..
12/19/2010 5:52:33 AM, Error: Service Control Manager [7043] - The Group Policy Client service did not shut down properly after receiving a preshutdown control.
12/19/2010 5:46:39 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avgfws service.

==== End Of File ===========================


5.) Ran GMER scan. I've not posted the results of that scan, as I was not instructed to do so at this point. I am attaching it to this post, in case it's needed.

I shall be waiting patiently for further instructions. :)

Attached Files

  • Attached File  ark.txt   20.74KB   0 downloads

Edited by MelissaPleases, 26 December 2010 - 11:17 AM.

Snowden03.png

~   Notorious Thread Killer   ~
Case: CoolerMaster Storm Trooper Full ATX | Motherboard: GIGABYTE GA-Z170X | CPU: Intel Core i7-6700K 8M Skylake Quad-Core | GPU: MSI Radeon R9 390X 8GB 512-Bit | PSU: EVGA 80 PLUS GOLD 850 W | RAM: Corsair Vengeance DDR4 SDRAM [4x8GB] Audio: Integrated Creative Sound Core 3D 5.1 | Internal Storage: Samsung 2 TB HDD | Seagate 1 TB HDD | Samsung 500GB SSD [x2] | Mushkin 500GB SSD | External Storage: Seagate 2TB | Optical Drive: Lite-On iHAS324 Dual Layer

Display 1: AOC I2757Fh 27" | Display 2 & 3: LG 24MP57HQ-P 24" | Operating Systems: OS 1: Windows 10 Professional | OS 2: Linux Mint Cinnamon | OS 3: Windows 7 Ultimate x-64 | Antivirus: MS Security Essentials | Firewall: Windows Firewall


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:17 AM

Posted 03 January 2011 - 06:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 MelissaPleases

MelissaPleases
  • Topic Starter

  • Members
  • 537 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Now in the Heartland of the USA
  • Local time:11:17 PM

Posted 03 January 2011 - 09:54 AM

I would have to guess that this issue has been resolved, since I've no longer had any problem with folder settings being changed. Thanks for responding! Unless I have further issues, I think this topic can be closed.

Snowden03.png

~   Notorious Thread Killer   ~
Case: CoolerMaster Storm Trooper Full ATX | Motherboard: GIGABYTE GA-Z170X | CPU: Intel Core i7-6700K 8M Skylake Quad-Core | GPU: MSI Radeon R9 390X 8GB 512-Bit | PSU: EVGA 80 PLUS GOLD 850 W | RAM: Corsair Vengeance DDR4 SDRAM [4x8GB] Audio: Integrated Creative Sound Core 3D 5.1 | Internal Storage: Samsung 2 TB HDD | Seagate 1 TB HDD | Samsung 500GB SSD [x2] | Mushkin 500GB SSD | External Storage: Seagate 2TB | Optical Drive: Lite-On iHAS324 Dual Layer

Display 1: AOC I2757Fh 27" | Display 2 & 3: LG 24MP57HQ-P 24" | Operating Systems: OS 1: Windows 10 Professional | OS 2: Linux Mint Cinnamon | OS 3: Windows 7 Ultimate x-64 | Antivirus: MS Security Essentials | Firewall: Windows Firewall


#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:17 AM

Posted 03 January 2011 - 10:42 AM

OK, thanks for letting us know. I'll get this topic closed.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:17 AM

Posted 03 January 2011 - 04:10 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users