Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan "System Tool"?


  • This topic is locked This topic is locked
2 replies to this topic

#1 dmcwe

dmcwe

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:04 PM

Posted 05 January 2011 - 04:30 PM

Hi everyone,
On normal start up my screen has been taken over by an advertisement for a system tool removal software. I have a persistant pop up on the tool bar saying my antivirus (avast) is infected and then a box appears and "runs" a system check which finds numerous trojans and virus's. I am also having dificulty logging on to the internet. I have followed the instructions in the guidance regarding the prep work but I have had to do this in "Safe Mode" as the computor does nothing in normal mode. I would be most grateful for you help....again.
Thanks in anticipation
Dave

DDS Log

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Dave at 19:24:01.89 on 05/01/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.503.169 [GMT 0:00]

AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uWindow Title =
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRunOnce: [lAkEp09000] c:\programdata\lakep09000\lAkEp09000.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [HTC Sync Loader] "c:\program files\htc\htc sync 3.0\htcUPCTLoader.exe" -startup
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2007-1-29 451072]
R3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2007-8-12 2599936]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-26 293968]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-26 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-26 51280]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-2 136176]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-5 40384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-30 1343400]

=============== Created Last 30 ================

2011-01-05 19:31:28 -------- d-----w- c:\users\dave\appdata\roaming\HTC
2011-01-05 18:43:27 -------- d-----w- c:\progra~2\lAkEp09000
2010-12-21 21:40:10 -------- d-----w- c:\users\dave\appdata\local\Downloaded Installations
2010-12-21 21:39:15 -------- d-----w- c:\program files\Spirent Communications
2010-12-21 21:38:18 -------- d-----w- c:\program files\HTC
2010-12-21 21:37:14 -------- d-----w- c:\program files\MSXML 4.0
2010-12-16 10:02:03 516096 ----a-w- c:\program files\windows mail\wab.exe
2010-12-16 10:01:49 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-16 09:58:34 749056 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-16 09:58:29 496128 ----a-w- c:\windows\system32\taskschd.dll
2010-12-16 09:58:22 351232 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-16 09:58:17 192000 ----a-w- c:\windows\system32\taskeng.exe
2010-12-16 09:58:14 305152 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-16 09:58:09 179712 ----a-w- c:\windows\system32\schtasks.exe
2010-12-16 09:57:51 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-16 09:57:49 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-16 09:57:35 314368 ----a-w- c:\windows\system32\webio.dll
2010-12-16 09:57:25 101760 ----a-w- c:\windows\system32\consent.exe
2010-12-16 09:56:58 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-10 16:52:46 -------- d-----w- c:\program files\Yahoo!
2010-12-10 16:36:19 -------- d-----w- C:\ef65b8ad84bb4cc4b714b17c156741e8
2010-12-10 16:34:46 2983424 ----a-w- c:\windows\system32\UIRibbon.dll
2010-12-10 16:34:40 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-12-10 16:29:59 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-12-10 16:29:58 3181568 ----a-w- c:\windows\system32\mf.dll
2010-12-10 16:29:54 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-12-10 16:29:07 469256 ----a-w- c:\program files\common files\windows live\.cache\5711ae911cb988708\InstallManager_WLE_WLE.exe
2010-12-10 16:28:16 15712 ----a-w- c:\program files\common files\windows live\.cache\3f364abf1cb988707\MeshBetaRemover.exe
2010-12-10 16:28:08 94040 ----a-w- c:\program files\common files\windows live\.cache\39d0f44f1cb988706\DSETUP.dll
2010-12-10 16:28:08 525656 ----a-w- c:\program files\common files\windows live\.cache\39d0f44f1cb988706\DXSETUP.exe
2010-12-10 16:28:08 1691480 ----a-w- c:\program files\common files\windows live\.cache\39d0f44f1cb988706\dsetup32.dll
2010-12-10 16:28:03 525656 ----a-w- c:\program files\common files\windows live\.cache\2d5009311cb988705\DXSETUP.exe
2010-12-10 16:27:58 1691480 ----a-w- c:\program files\common files\windows live\.cache\2d5009311cb988705\dsetup32.dll
2010-12-10 16:27:55 94040 ----a-w- c:\program files\common files\windows live\.cache\2d5009311cb988705\DSETUP.dll
2010-12-10 16:27:01 6260088 ----a-w- c:\program files\common files\windows live\.cache\894cea11cb988704\Silverlight.4.0.exe
2010-12-10 16:24:54 -------- d-----w- c:\users\dave\appdata\local\Windows Live
2010-12-10 16:24:40 -------- d-----w- c:\program files\common files\Windows Live
2010-12-09 09:13:04 710976 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight-2\SpotlightResources.dll

==================== Find3M ====================

2010-12-31 20:06:36 38848 ----a-w- c:\windows\avastSS.scr
2010-11-04 05:52:17 978944 ----a-w- c:\windows\system32\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-04 04:41:26 386048 ----a-w- c:\windows\system32\html.iec
2010-11-04 04:08:54 1638912 ----a-w- c:\windows\system32\mshtml.tlb

============= FINISH: 19:25:10.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:04 PM

Posted 05 January 2011 - 04:48 PM

Hello dmcwe ,

Navigate to and delete this folder : c:\programdata\lakep09000

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to fluffybunny.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:04 PM

Posted 10 January 2011 - 12:42 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users