Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP PC malware removal help request


  • This topic is locked This topic is locked
2 replies to this topic

#1 ck828

ck828

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:08 PM

Posted 27 February 2011 - 06:10 PM

Hello,

please help with direction to fix my niece's malware infected PC,

how come the host was redirect to a lot of anti-malware publisher sites?

There was also 2 entries in the Trusted Zone which I have immediately removed them.

Thanks


I attach the some files and following is the content of DDS.txt file:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Nancy at 18:56:52.39 on Fri 02/25/2011
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.256.82 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\sw-ad\Malware Removal_Help\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: WinStat: {ee02b99b-1d55-48bc-b8db-649a42ce45f6} - c:\windows\system32\WinStat12.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {147D6308-0614-4112-89B1-31402F9B82C4} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_01\bin\jusched.exe
mRun: [SsAAD.exe] c:\progra~1\sony\sonics~1\SsAAD.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [myvlhj] c:\windows\system32\myvlhj.exe
StartupFolder: c:\docume~1\nancy\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\nancy\startm~1\programs\startup\winlogon.lnk -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digima~1.lnk - c:\program files\samsung\digimax viewer 2.1\STImgBrowser.exe
uPolicies-system: DisableRegistryTools = 1
uPolicies-system: NoAdminPage = 1
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm414DJCA
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_01\bin\npjpi150_01.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: NDWCab - hxxp://www.neededware.com/ndw3.cab
DPF: Yahoo! Blackjack - hxxp://download.games.yahoo.com/games/clients/y/jt0_x.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20048BB3-DB68-11CF-9CAF-00AA006CB425} - hxxp://www.bardownload.com/prompt/cabs/website.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/chzl/default/popcaploader_v10.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Hosts: 1.1.1.1 ftp.f-secure.com
Hosts: 1.1.1.1 ftp.sophos.com
Hosts: 1.1.1.1 support.microsoft.com
Hosts: 1.1.1.1 viruslist.com
Hosts: 1.1.1.1 www.grisoft.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nancy\applic~1\mozilla\firefox\profiles\2smbasoe.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R0 hotcore2;hotcore2;c:\windows\system32\drivers\hotcore2.sys [2011-2-24 30808]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-2-24 27064]

=============== File Associations ===============

regfile="%1"

=============== Created Last 30 ================

2011-02-24 23:46:19 5632 ----a-w- c:\windows\system32\wnaspi32.dll
2011-02-24 23:46:19 30808 ----a-w- c:\windows\system32\drivers\hotcore2.sys
2011-02-24 23:46:19 2300928 ----a-w- c:\windows\system32\qtp-mt334.dll
2011-02-24 20:09:09 -------- d-----w- c:\docume~1\nancy\applic~1\Auslogics
2011-02-24 19:38:01 -------- d-----w- C:\tm
2011-02-24 19:35:58 -------- d-----w- c:\program files\CCleaner
2011-02-24 19:34:42 -------- d-----w- c:\program files\Auslogics
2011-02-24 18:50:14 -------- d-----w- c:\docume~1\nancy\locals~1\applic~1\VS Revo Group
2011-02-24 18:50:02 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2011-02-24 18:12:42 -------- d-----w- c:\windows\SxsCaPendDel
2011-02-24 03:49:22 -------- d-----w- c:\program files\Recover Keys
2011-02-23 23:14:21 -------- d-----w- C:\kl.files
2011-02-23 19:26:00 -------- d-----w- c:\docume~1\nancy\applic~1\URSoft
2011-02-23 19:25:55 -------- d-----w- c:\program files\Your Uninstaller 2006
2011-02-23 19:04:00 -------- d-----w- c:\program files\VS Revo Group
2011-02-23 19:01:20 1409 ----a-w- c:\windows\QTFont.for
2011-02-23 18:28:04 -------- d-----w- C:\HjT1.99.1_TM
2011-02-23 18:27:41 -------- d-----w- C:\irview
2011-02-23 18:17:31 -------- d-----w- C:\S80A7P1R
2011-02-23 18:17:06 -------- d-----w- C:\sw-ad

==================== Find3M ====================

2005-10-07 22:03:29 5280160 -c--a-w- c:\program files\PaintDotNet_2_5_Beta2.exe
2005-06-22 23:45:35 508528 -c--a-w- c:\program files\msgr7ca.exe
2007-05-03 01:39:01 2 -csh--w- c:\windows\system32\netstat.com
2007-05-03 01:39:01 2 -csh--w- c:\windows\system32\taskkill.com

============= FINISH: 18:57:34.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:08 PM

Posted 28 February 2011 - 04:14 PM

Good evening. :)

Download MGADiag from here and save it to your Desktop.
  • Double click it to run it.
  • Click Continue.
  • Once the scan has completed, click Copy - this will transfer the results to your clipboard.
  • Paste them into your next reply.

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:08:08 PM

Posted 05 March 2011 - 07:00 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users