Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Windows update,System Restore Virus,redirects


  • This topic is locked This topic is locked
7 replies to this topic

#1 Fletchguy

Fletchguy

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 11 April 2011 - 09:43 AM

Hello and thanks in advance. I am having a ton of issues that all came at one time and I am not sure of the origin or how it got in but I need some help getting cleaned again . The run down I use a sony vaio laptop running Windows vista Home premium. The other day all was fine I run daily scans run protection and firewalls but I had windows update pop up on my task bar nothing weird about it. It had some microsoft updates and an ie 9 update in it so i downloaded it. I never use ie but figured I would just update since it was being pushed. Well after that my entire machine went crazy on me.

I know I was infected by Windows Restore virus for sure. Things that I had happen were the pop up your hard drive is corrupt message, I got locked out of a ton of folders, it hid folders and hide my desktop icons and hide the program files. It removed my access to the Accessory folder and removed it from my program list in the start button. I would get java error messages when I restarted while I could hear ads I couldn't see a video but heard the audio like 3 in a row when started. It did something to my system restore. I was able to finally find it but when I run it it lets me choose date then initiates sits at the blue windows screen saying system restore is initialing...... it goes through the process but takes awhile then it restarts and nothing changed then 10 minutes after boot a message comes up saying restore was unsucessful. I'm still locked out of some places I get the need administrator permission and I only have one account which is my admin account and it shows full permission granted.If I open IE it will go directly to ad site even though I have homepage set at google. If I go to google and do a search it finds results but if you click they redirect. The only browser that I can go directly to sites or download malware programs with is Minesfield. Google chrome,ie and firefox all have issues.Also I know get an annoying message when running virus scans about"No disk is in the drive..something about DR1.dll or something.

Now some of what I have gone through so far. I have restored my desktop icons and unhide the missing program folders. I have access to my accessory folder but shortcut in start>prgrams is still missing. I have done a few different cleanings in safe mode. I have used malwarebytes updated definitions which cleaned roughly 60 found items. I have run Spy bot search and destroy which found 31 infections after malwarebytes cleaned. i have run super anti virus which cleaned like 18 items. I completely uninstalled Firefox and all related files and setting then used a copy on a usb stick to fresh install, I uninstalled the ie 9 uipdate. I have run smitfraud which is iffy as I think something is trying to stop it as it doesn't seem right and I cant update it.I was getting ready to come here so i knew id need to download combofix to my desktop so i have it but haven't run it yet as i know it is prefered to wwait on posting or running randomly and better to go through mods steps as requested.

So thats where I am at so I am ready to begin following directions to see what we can do....Let me know what is needed for the first step and I'll get to it. Again thanks in advance for all help....

_________________________________________________________________________________________________________________________________________________________

I have followed the request to do the prep and ran all scans as required to begin below are the requested logs from the preperation guide...

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ownwer at 7:50:54.20 on Mon 04/11/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1084 [GMT -5:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\ASTSRV.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\CSHelper.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehsched.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbguard.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Program Files\Firebird\Firebird_2_1\bin\fbserver.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony\AppMonUtil\AppMonUtility.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Minefield\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Ownwer\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {706f6eec-714b-15c3-5ef4-4bdc68992f57} - c:\windows\system32\NllsData0027.dll
BHO: EyeOnIE Class: {84fe14e8-7b9d-4c5e-89a4-8ba724c48963} - c:\program files\ivt corporation\bluesoleil\bluesoleil isend\BsTransSendEx.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISBMgr.exe] "c:\program files\sony\isb utility\ISBMgr.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [AppMon Utility] "c:\program files\sony\appmonutil\AppMonUtility.exe" @@@Start
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send by Bluetooth - c:\program files\ivt corporation\bluesoleil\transsend\ie\tsinfo.htm
IE: Send via &Message... - c:\program files\ivt corporation\bluesoleil\transsend\ie\tssms.htm
IE: {D8BA914B-EF59-48A3-BE9D-3C9362319F64} - c:\program files\ivt corporation\bluesoleil\bluesoleil.exe
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: bmnet.dll
Trusted Zone: musicmatch.com\online
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\ownwer\appdata\roaming\mozilla\firefox\profiles\9s40vgdk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Yahoo-FlvTube
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50ffTB50CL-ab-en-us&query=
FF - component: c:\users\ownwer\appdata\roaming\mozilla\firefox\profiles\9s40vgdk.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\users\ownwer\appdata\roaming\mozilla\firefox\profiles\9s40vgdk.default\extensions\firesheep@codebutler.com\platform\winnt_x86-msvc\components\mozpopen.dll
FF - component: c:\users\ownwer\appdata\roaming\mozilla\firefox\profiles\9s40vgdk.default\extensions\technicianconsole@logmeinrescue.com\platform\winnt\components\RescueComponent.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\minefield\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\minefield\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\mpcstar\codecs\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\onlive\firefoxplugin\npolgdet.dll
FF - plugin: c:\program files\opera\program\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\ownwer\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
.
---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2009-6-17 20744]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-8 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-4-8 2860800]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-8 55640]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-8-4 266240]
R2 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbguard.exe -s DefaultInstance [?]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-5-11 21504]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-21 47640]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2009-6-17 29192]
R3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s defaultinstance --> c:\program files\firebird\firebird_2_1\bin\fbserver.exe -s DefaultInstance [?]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2009-6-17 25480]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\drivers\R5U870FLx86.sys [2007-1-9 72704]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\drivers\R5U870FUx86.sys [2007-1-9 43904]
R3 slim;Sony Lucid Integrated Mpeg encoder;c:\windows\system32\drivers\slim.sys [2007-1-17 699520]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2007-1-9 30976]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-1-9 227328]
R3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-8-7 16896]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-4-8 73728]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-28 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
S3 htcdiag;HTC Android Diag Port;c:\windows\system32\drivers\htcdiag.sys [2010-8-27 101376]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2007-12-14 570880]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-10-26 4247552]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 USBAVCap;AVerMedia USB TV Tuner Device;c:\windows\system32\drivers\USBAVCap.sys [2007-1-9 774528]
S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-10-2 741376]
S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-10-2 397312]
S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-10-2 1089536]
S3 VUAgent;VUAgent;c:\program files\sony\vaio update 5\VUAgent.exe [2010-2-11 722288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-8 108289]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-8 185089]
S4 BsMobileCS;BsMobileCS;c:\program files\ivt corporation\bluesoleil\BsMobileCS.exe [2010-3-9 143467]
S4 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2009-9-25 124160]
S4 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\nitro pdf\professional\NitroPDFDriverService.exe [2009-9-15 188736]
S4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-4-27 93960]
S4 SuperRam;SuperRam Memory Service;c:\program files\pgware\superram\SuperRamService.exe [2010-7-21 1688768]
S4 w7Svc;webcam 7 Service;c:\program files\webcam 7\wService.exe [2009-9-23 3744768]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
S4 wxpSvc;webcamXP Service;c:\program files\wlite\wService.exe [2009-9-22 3465728]
.
=============== Created Last 30 ================
.
2011-04-11 02:18:19 -------- d-----w- c:\program files\Runtime Software
2011-04-11 00:44:28 -------- d-s---w- C:\ComboFix
2011-04-08 20:21:01 -------- dc-h--w- c:\progra~2\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-08 20:03:29 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-08 02:36:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-08 02:36:07 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-07 17:31:29 -------- d-----r- c:\program files\Accessories
2011-04-07 16:43:08 -------- d-----w- c:\program files\AOL Desktop 9.6e
2011-04-07 16:36:43 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-04-07 16:36:43 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-04-07 16:36:43 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-04-07 01:15:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-07 01:15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-05 22:28:35 -------- d-----w- c:\program files\AOL Desktop 9.6d
2011-03-22 15:31:37 -------- d-----w- c:\program files\AOL Desktop 9.6c
2011-03-15 20:53:16 -------- d--h--w- c:\users\ownwer\appdata\local\Vivox
2011-03-12 17:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-12 17:28:40 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-04-11 00:25:33 1365 ---ha-w- c:\users\ownwer\appdata\roaming\GetValue.vbs
2011-04-11 00:25:27 2522 ----a-w- c:\windows\system32\tmp.reg
2011-04-07 16:33:40 58696 ----a-w- c:\windows\system32\AOLParconLink.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-13 11:19:53 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-01-13 11:19:53 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-01-12 21:35:37 35 ---ha-w- c:\users\ownwer\appdata\roaming\SetValue.bat
2007-05-03 21:06:28 3506176 ----a-w- c:\program files\SWFText.exe
2006-05-03 10:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
.
============= FINISH: 7:53:16.88 ===============

___________________________________________________________________________________________________________________________________________________________

Posting GMER file in it's own post as board says post too long .

I am going to attach the GMER scan results as I just can't get the boards to let me post as it says too long and I tried to break it into 5 posts but still to long. Yes I unchecked the required boxes before scan but it took 2 hours to finish.

I hope both attachments are there as I attached them but do not see any attachments in the post. Let me know if not and we can try something else

EDIT: Posts merged. Don't worry about the GMER log for the time being. ~Budapest

Edited by Budapest, 11 April 2011 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:05 PM

Posted 21 April 2011 - 02:51 PM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new DDS log (don't forget attach.txt)

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Fletchguy

Fletchguy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 21 April 2011 - 03:09 PM

Hello...Yeah I thought they closed my help request over a week ago as I never got a reply and the thread was locked by a moderator so I couldnt do anything. I have since worked on and resolved this on my own.I am still not sure how I got infected by using windows vista updates but thats what happen. I ended up getting the "Catchme" folder on my desktop and it seemed to be related to a change made to File "C:\Windows\system32\drivers\volsnap.sys". This unleashed a ton of problems. malwarebytes never found it so i had to run an arsenal of different scans and manual removals and registry edits. I found by running 7 scanners in a particular order I was able to get cleaned. i made some edits I found online and removed ie9. I found all my missing programs and folders they were moved renamed and hidden in hidden folders. I still have a bit of an issue with the microsoft updater as it finds the same 2 updates everyday for last week and it downloads and installs successful but when i restart it says the same 2 updates have been found and need to be downloaded again.The one update is

Security Update for Microsoft .NET Framework 4 on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008 x86 (KB2446708)

Download size: 11.2 MB

You may need to restart your computer for this update to take effect.

Update type: Important

A security issue has been identified that could allow an attacker to compromise your Windows-based system that is running the Microsoft .NET Framework and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

More information:
http://go.microsoft.com/fwlink/?LinkID=204898

Help and Support:
http://support.microsoft.com

The other is a malicious tool update which installs and comes back up as needing to be downloaded again maybe every 3rd or fourth time I reboot. If you think it would help I can post a new log or hijack log for you to just check if I missed anything. The browser hijack is done and I removed roughly 300 infections caused by the windows update ie install. Machine was clean prior to that update as I ran before updates the day before 5 different scans. If you d have time Ill post a log to look over but I think i got all as scans and rootkit scans seem to be clean. I used malwarebytes,super anti spyware, downloaded kaspersky,S&D spybot,Smitfraud removal by siri,Lavasoft Antivir,Emsisoft, and Bulldog anti vir to get cleaned.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:05 PM

Posted 21 April 2011 - 03:11 PM

To resolve your update issue, try to reset Windows Update as described here: http://support.microsoft.com/kb/971058

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:05 PM

Posted 24 April 2011 - 11:33 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Fletchguy

Fletchguy
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 26 April 2011 - 02:05 PM

Sorry was out of town few days. Im going to try the windows update fix you gave link for and Ill let you know how it goes asap. Thanks

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:05 PM

Posted 26 April 2011 - 02:16 PM

No problem, please keep me posted. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:05 PM

Posted 07 May 2011 - 10:28 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users