Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Problems Caused by Fake Virus Scan


  • This topic is locked This topic is locked
24 replies to this topic

#1 mcdonn123

mcdonn123

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 23 May 2011 - 07:34 AM

I have had problems ever since I ran into a fake website that brought up a fake "virus scan". More and more problems come up, and I suspect that I might have a downloader virus. Here is a list of problems and other information regarding them:
  • .exe files do not run (opens a "Open With" box), however running as administrator does open the program.
  • Occasional pop-ups on Firefox (wasn't doing this before; pop-up is from results.google-analytics.com
  • Before I deleted the file in my AppData\Local folder that opened the fake "virus scanner" in my system tray, the virus would open up consistently open up a window basically saying "you have a virus, buy this program!". Luckily I'm not stupid, so I found and deleted the bad program (which was .ilj or something, and was hidden as a "system file").
  • Malewarebytes will not update and is 37 days out of date. when an attempt is made to update the file, I get the following error message: "An error has occurred. Please report this code to our support team. PROGRAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)"
  • Malewarebytes does not detect any maleware after performing a full scan (however it did at first, the files were quarentined and removed and I restarted my computer)
  • taskmgr.exe will not open! This is my latest problem (note: this happened within 5-6 days after I received that fake virus scan pop-up). When right-clicking on the taskbar, Task Manager is not selectable and is gray. Running taskmgr.exe directly brings up the message "Task Manager has been disabled by your administrator". Problem is, I'm the administrator and only user on this computer.


DDS.txt
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_23
Run by Circuit City at 10:25:49 on 2011-05-22
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2942.1333 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.3.21.53\GoogleCrashHandler.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\Windows\Explorer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\explorer.exe
svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Circuit City\Documents\Desktop\dds.scr
C:\Windows\system32\WSCRIPT.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = my.daemon-search.com
uInternet Settings,ProxyServer = http=127.0.0.1:60020
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
mURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\users\circuit city\appdata\roaming\appconf32.exe,
uWinlogon: Shell=explorer.exe,c:\users\circuit city\appdata\roaming\dwm.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTo1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin0.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: mysidesearch browser optimizer: {38cc6eb4-3633-9c3c-8a30-20eb3483cb14} - c:\windows\system32\{119b2691-fb22-d0b6-8ec9-243272c64589}.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [jHevfmtmQDGxHs] c:\programdata\jHevfmtmQDGxHs.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\circui~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\powerm~1.lnk - c:\program files\powermenu\PowerMenu.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gamers~1.lnk - c:\program files\gamersfirst\live!\Live.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\circuit city\appdata\roaming\microsoft\windows\start menu\programs\imvu\Run IMVU.lnk
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
Trusted Zone: adobe.com\www
Trusted Zone: kongregate.com\www
Trusted Zone: roblox.com\www
Trusted Zone: youtube.com\www
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: NameServer = 93.188.165.204,93.188.160.175
TCP: {150B3CEB-DFED-42CE-A220-114CBE1A05B7} = 93.188.165.204,93.188.160.175
TCP: {4129B5DC-99F9-495A-8760-E0646DEAD679} = 93.188.165.204,93.188.160.175
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\circuit city\appdata\roaming\mozilla\firefox\profiles\i0crukjk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mydtzone.com/startpage|resource:/browserconfig.properties
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\thrixxx\weblaunch\binaries\npWebLaunch.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: SimilarWeb: FirefoxAddon@similarWeb.com - %profile%\extensions\FirefoxAddon@similarWeb.com
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Personas: personas@christopher.beard - %profile%\extensions\personas@christopher.beard
FF - Ext: FastestFox: smarterwiki@wikiatic.com - %profile%\extensions\smarterwiki@wikiatic.com
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Screengrab: {02450954-cdd9-410f-b1da-db804e18c671} - %profile%\extensions\{02450954-cdd9-410f-b1da-db804e18c671}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
FF - Ext: Easy Youtube Video Downloader: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b} - %profile%\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Reasy: {fcff419f-5bfb-40cd-b52c-8f55dc2d0511} - %profile%\extensions\{fcff419f-5bfb-40cd-b52c-8f55dc2d0511}
FF - Ext: Flash and Video Download: {bee6eb20-01e0-ebd1-da83-080329fb9a3a} - %profile%\extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 DhaHelper;DhaHelper;c:\windows\system32\drivers\dhahelper.sys [2010-10-6 7168]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-15 218688]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKslb7624abb;MpKslb7624abb;c:\programdata\microsoft\microsoft antimalware\definition updates\{b817b85a-0fc9-43fe-83f3-c30d01e82f7d}\MpKslb7624abb.sys [2011-5-13 28752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2010-10-6 28160]
R3 rt61x86;RT61 Wireless Driver for Windows Vista;c:\windows\system32\drivers\netr61.sys [2008-11-26 333824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service;c:\program files\google\update\GoogleUpdate.exe [2008-7-17 133104]
S2 RelevantKnowledge;RelevantKnowledge;c:\program files\relevantknowledge\rlservice.exe /service --> c:\program files\relevantknowledge\rlservice.exe [?]
S3 EagleXNt;EagleXNt;c:\windows\system32\drivers\EagleXNt.sys [2011-5-1 480992]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-3-10 39424]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2008-7-17 133104]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 USBTINSP;TI-Nspire™ Handheld or TI Network Bridge Device Driver;c:\windows\system32\drivers\tinspusb.sys [2011-5-13 122752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-05-22 14:46:50 -------- d-----w- c:\program files\DoremiSoft
2011-05-22 14:04:15 -------- d-----w- c:\program files\MPEGTOAVI
2011-05-21 16:09:09 0 ----a-w- c:\users\circuit city\appdata\roaming\i0crukjk.default.tmp
2011-05-20 03:04:46 -------- d-----w- C:\xmldm
2011-05-20 03:04:46 -------- d-----w- C:\kock
2011-05-20 03:04:15 -------- d-----w- c:\users\circuit city\appdata\roaming\xmldm
2011-05-20 03:04:14 -------- d-----w- c:\users\circuit city\appdata\roaming\kock
2011-05-20 02:23:23 -------- d-----w- C:\My Video
2011-05-19 01:12:33 -------- d-----w- c:\program files\t@b
2011-05-17 21:14:38 432640 ----a-w- c:\programdata\jHevfmtmQDGxHs.exe
2011-05-13 21:27:05 -------- d-----w- c:\users\circuit city\appdata\roaming\TI-Nspire
2011-05-13 21:22:40 -------- d-----w- c:\users\circuit city\appdata\roaming\Texas Instruments
2011-05-13 21:15:47 -------- d-----w- c:\programdata\SafeNet Sentinel
2011-05-13 21:14:25 122752 ----a-w- c:\windows\system32\drivers\tinspusb.sys
2011-05-13 21:12:38 -------- d-----w- c:\programdata\TI-Nspire
2011-05-13 21:01:01 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b817b85a-0fc9-43fe-83f3-c30d01e82f7d}\MpKslb7624abb.sys
2011-05-10 21:22:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-10 20:58:42 7071056 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{b817b85a-0fc9-43fe-83f3-c30d01e82f7d}\mpengine.dll
2011-05-07 20:31:23 73728 ----a-w- c:\program files\microsoft games\fable - the lost chapters\data\graphics\pc\fable_nude_mod\fable_nude_mod\fableexplorer\zlib.dll
2011-05-07 20:31:23 2319568 ----a-w- c:\program files\microsoft games\fable - the lost chapters\data\graphics\pc\fable_nude_mod\fable_nude_mod\fableexplorer\d3dx9_27.dll
2011-05-07 20:31:23 159744 ----a-w- c:\program files\microsoft games\fable - the lost chapters\data\graphics\pc\fable_nude_mod\fable_nude_mod\fableexplorer\FableContentManagement.dll
2011-05-07 20:31:23 135168 ----a-w- c:\program files\microsoft games\fable - the lost chapters\data\graphics\pc\fable_nude_mod\fable_nude_mod\fableexplorer\FableExplorer.exe
2011-05-07 20:31:23 106496 ----a-w- c:\program files\microsoft games\fable - the lost chapters\data\graphics\pc\fable_nude_mod\fable_nude_mod\fableexplorer\FableArchives.dll
2011-05-07 19:52:13 -------- d-----w- c:\program files\Dragon UnPACKer 5
2011-05-04 22:07:10 -------- d-----w- c:\program files\BlackIsle
2011-05-01 18:15:43 480992 ----a-w- c:\windows\system32\drivers\EagleXNt.sys
2011-04-30 02:17:19 -------- d-----w- c:\program files\SoundSpectrum
2011-04-29 21:00:30 7071056 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-28 12:39:53 439632 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1b8f3eb5-477c-495a-aa82-24fcb34f9b71}\gapaengine.dll
2011-04-28 12:34:42 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-27 21:20:18 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 21:20:18 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-23 03:43:04 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2011-04-23 03:42:44 95600 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
2011-05-04 22:08:14 52736 ----a-w- c:\windows\ipuninst.exe
2011-04-15 21:05:58 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-04-09 23:55:44 15453336 ----a-w- c:\windows\system32\xlive.dll
2011-04-09 23:55:42 13642904 ----a-w- c:\windows\system32\xlivefnt.dll
2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 14:56:29 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 14:56:26 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 14:56:25 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 14:56:25 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 12:52:11 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 12:52:04 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 12:51:53 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 12:51:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
.
============= FINISH: 10:26:36.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 27 May 2011 - 02:47 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Is this a company/work related machine?

Rootkit UnHooker (RkU)
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".



NEXT:


Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 28 May 2011 - 12:11 PM

Hello SweetTech! Its a pleasure to meet you and thank you for the reply!
The computer I am using is used only by me (a personal computer)
Most of the problems I have had before (as mentioned my first post) still exist. However, I have managed to fix some of these problems (i.e. task manager being disabled). So I'll give you an update on the current problems with my computer and re-post an updated DDS.txt and (if you request it) an updated gmer report (ark.log)[/i].


Current KNOWN Problems:
  • Unable to open .exe files. (I get an Open-With box; However I can open them by Running it as Administrator)
  • Occasionally receive pop-ups when connecting to a website (Note: the websites aren't creating the pop-ups; the website that pops-up is, for all that I'v seen, search.google-analytics.com or results.google-analytics.com[/i=u])
  • Malewarebytes will not update when an attempt is made to update the file, I get the following error message: "An error has occurred. Please report this code to our support team. PROGRAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)"
  • When trying to run Task Manager I get an error "C:\Windows\system32\taskmgr.exe Application not found". The file does exist and is at said location. It can be ran when opening taskmgr.exe directly.
  • Other .exe files give the same error as above (but with a different file path). Here's an example: at Control Panel\System when trying to open the Advance system settings or System protection or Remote settings in the task panel on the left side (Note: the Device manager opens without the error). Other links on the control panel that don't work and give the same error are associated with these files (all of which are located in C:\Windows\system32\ ):
    • systempropertiesremote.exe
    • systempropertiesprotection.exe
    • systempropertiesadvanced.exe
    • systempropertiescomputername.exe
    • rundll32.exe
  • Some links on the control panel do not work. No error is given, the link just doesn't open up properly (i.e. clicking on the link does nothing)
  • When restarting my computer, at some point I get a [u]blue screen. It disappears quickly so I don't always have enough time to write down all of what it says, but I do know it has to do with a file that has usb in its name (I think it was libusb or usblib and it was either a .dll or .exe ;I am not 100% sure of this though)
  • It is very possible that there are many other underlying problems that I have not mentioned. For instance, I didn't know that there was a problem with services.exe until I tried to run it (There was a problem that had something to do with DirectX). I managed to fix the problem by removing the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\[] where the "[]" is a square box (if I remember correctly, it is a non-ansi character). This fixed the problem and services.exe worked again.


Spoilers were used for ease of access to the .txt files

DDS.txt File:
Spoiler



Ark.log
FROM LAST POST
I am unsure if you want this so until requested,
I will just post the one from the previous post

Spoiler



RkU Report
Spoiler



OTL.txt
Spoiler



Extras.txt
Spoiler


PS
I would love to learn how you solve these!

Thank You for your time!

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 28 May 2011 - 12:29 PM

Hi mcdonn123!

You're welcome!

The computer I am using is used only by me (a personal computer)

Okay. :)

Unable to open .exe files. (I get an Open-With box; However I can open them by Running it as Administrator)

This is more than likely due to the association of the file extensions getting messed up by malware.

Occasionally receive pop-ups when connecting to a website (Note: the websites aren't creating the pop-ups; the website that pops-up is, for all that I'v seen, search.google-analytics.com or results.google-analytics.com[/i=u])

This is related to the malware on your computer. We should be able to fix this shortly.

Malewarebytes will not update when an attempt is made to update the file, I get the following error message: "An error has occurred. Please report this code to our support team. PROGRAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest)"

You're experiencing issues with this because you currently have a proxy set that is not allowing MBAM to update. We'll fix this shortly.

When trying to run Task Manager I get an error "C:\Windows\system32\taskmgr.exe Application not found". The file does exist and is at said location. It can be ran when opening taskmgr.exe directly.

Interesting, it's possible malware has messed with a setting. We'll look into figuring out how to address that.

Other .exe files give the same error as above (but with a different file path). Here's an example: at Control Panel\System when trying to open the Advance system settings or System protection or Remote settings in the task panel on the left side (Note: the Device manager opens without the error). Other links on the control panel that don't work and give the same error are associated with these files (all of which are located in C:\Windows\system32\ ):

We'll see what we can do about that.

Some links on the control panel do not work. No error is given, the link just doesn't open up properly (i.e. clicking on the link does nothing)

Okay.

When restarting my computer, at some point I get a blue screen. It disappears quickly so I don't always have enough time to write down all of what it says, but I do know it has to do with a file that has usb in its name (I think it was libusb or usblib and it was either a .dll or .exe ;I am not 100% sure of this though)

Possible due to the malware on the computer. Let me know if this symptom goes away as we start fixing things.

It is very possible that there are many other underlying problems that I have not mentioned. For instance, I didn't know that there was a problem with services.exe until I tried to run it (There was a problem that had something to do with DirectX). I managed to fix the problem by removing the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\[] where the "[]" is a square box (if I remember correctly, it is a non-ansi character). This fixed the problem and services.exe worked again.

Okay.

____________________________________________________

Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Back-Up Registry
First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:

regedit /e c:\registrybackup.reg

Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.


[u]NEXT:



Please post back after you've successfully backed up the registry.

Edited by SweetTech, 28 May 2011 - 12:31 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 28 May 2011 - 03:38 PM

I have backed up my registry. Though I couldn't do it through Start>Run because I got that error stating "Application not found". So instead I went to regedit.exe and exported all the registry files to my computer (just thought I'd let you know).

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 28 May 2011 - 03:54 PM

Hi mcdonn123!

Do you recognize these files?

[2011/05/25 09:15:50 | 000,053,003 | ---- | M] () -- C:\Windows\System32\116.skb
[2011/05/25 08:44:27 | 000,051,867 | ---- | M] () -- C:\Windows\System32\115.skb
[2011/05/25 07:39:23 | 000,051,822 | ---- | M] () -- C:\Windows\System32\114.skb
[2011/05/19 22:28:48 | 000,019,456 | ---- | C] () -- C:\Users\Circuit City\AppData\Roaming\i0crukjk.default.dat

I'd like to have you submit them online, so I can see what they are.

VirusTotal File Scan
Please go to: VirusTotal
  • Posted Image
  • Click the Browse button and search for the following file: C:\Windows\System32\116.skb
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

Repeat the above process for the following files below:

C:\Windows\System32\115.skb
C:\Windows\System32\114.skb
C:\Users\Circuit City\AppData\Roaming\i0crukjk.default.dat

Please post the results in your next reply

____________________________________________________

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    :OTL
    SRV - File not found [Disabled | Stopped] -- -- (stllssvr)
    SRV - File not found [Auto | Stopped] -- -- (RelevantKnowledge)
    SRV - File not found [Auto | Stopped] -- -- (LiveUpdate Notice Ex)
    SRV - File not found [Auto | Stopped] -- -- (astcc)
    IE - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:60020
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No CLSID value found.
    O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
    O4 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..\Run: [jHevfmtmQDGxHs] C:\ProgramData\jHevfmtmQDGxHs.exe (QNP)
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.165.204,93.188.160.175
    O20 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000 Winlogon: Shell - (C:\Users\Circuit City\AppData\Roaming\dwm.exe) - File not found
    O35 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000..exefile [open] -- "C:\Users\Circuit City\AppData\Local\ijk.exe" -a "%1" %*
    O37 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\...com [@ = comfile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-808472312-2103218499-2355469710-1000\...exe [@ = exefile] -- "C:\Users\Circuit City\AppData\Local\ijk.exe" -a "%1" %*
    [2011/05/19 22:04:46 | 000,000,000 | ---D | C] -- C:\xmldm
    [2011/05/19 22:04:46 | 000,000,000 | ---D | C] -- C:\kock
    [2011/05/19 22:04:15 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\xmldm
    [2011/05/19 22:04:14 | 000,000,000 | ---D | C] -- C:\Users\Circuit City\AppData\Roaming\kock
    [2011/05/17 16:14:38 | 000,432,640 | ---- | C] (QNP) -- C:\ProgramData\jHevfmtmQDGxHs.exe
    [2011/05/17 16:14:37 | 000,432,640 | ---- | M] (QNP) -- C:\ProgramData\jHevfmtmQDGxHs.exe
    [2011/05/16 20:11:21 | 000,003,180 | -HS- | M] () -- C:\ProgramData\n5tcxce8onsa44jdoj4a5m5vu37617hn06
    [2011/05/15 22:47:02 | 000,049,517 | ---- | M] () -- C:\Users\Circuit City\AppData\Roaming\9400.015
    [2011/05/15 13:14:02 | 000,003,998 | -HS- | M] () -- C:\ProgramData\0d0w4kk54c0b50x30s4tl5v
    [2011/05/13 21:45:39 | 000,008,704 | -HS- | M] () -- C:\ProgramData\5bg0h80m586b3bwhfu1ruv8o6b
    [2011/05/16 20:10:38 | 000,003,180 | -HS- | C] () -- C:\ProgramData\n5tcxce8onsa44jdoj4a5m5vu37617hn06
    [2011/05/15 13:12:56 | 000,003,998 | -HS- | C] () -- C:\ProgramData\0d0w4kk54c0b50x30s4tl5v
    [2011/05/15 13:12:55 | 000,049,517 | ---- | C] () -- C:\Users\Circuit City\AppData\Roaming\9400.015
    [2011/05/13 21:41:38 | 000,008,704 | -HS- | C] () -- C:\ProgramData\5bg0h80m586b3bwhfu1ruv8o6b
    [2011/04/18 21:09:44 | 000,006,642 | -HS- | C] () -- C:\ProgramData\q45f63b3111o63c2hk0htmd5p3j4poe
    [2009/10/28 11:22:42 | 000,000,096 | ---- | C] () -- C:\Users\Circuit City\AppData\Roaming\e0389f41.dat
    [2009/02/27 19:45:50 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa152224761.exe
    [2009/02/27 19:45:50 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa152224558.exe
    [2009/02/26 00:21:32 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159232778.exe
    [2009/02/26 00:21:32 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159232576.exe
    [2009/02/26 00:21:28 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159228847.exe
    [2009/02/26 00:21:28 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159228644.exe
    [2009/02/26 00:21:19 | 000,915,968 | ---- | C] () -- C:\Windows\System32\xa159219362.exe
    [2009/02/26 00:21:19 | 000,915,968 | ---- | C] () -- C:\Windows\System32\xa159219175.exe
    [2009/02/26 00:20:30 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159170206.exe
    [2009/02/26 00:20:29 | 001,882,624 | ---- | C] () -- C:\Windows\System32\xa159169988.exe
    [2009/02/26 00:20:21 | 000,915,968 | ---- | C] () -- C:\Windows\System32\xa159161502.exe
    [2009/02/26 00:20:21 | 000,915,968 | ---- | C] () -- C:\Windows\System32\xa159161268.exe
    
    :Reg
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\windows\\system32\\userinit.exe,"
    "Shell"="explorer.exe"
    :Files
    C:\Users\Circuit City\AppData\Roaming\appconf32.exe 
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.

Edited by SweetTech, 28 May 2011 - 03:55 PM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 28 May 2011 - 05:16 PM

The .skb files are backup document files from Google SketchUp (I don't know why it puts the files there though). Here are the results:

115.skb 0/42 (clean)
114.skb 0/43 (clean)
116.skb 0/43 (clean)
i0crukjk.default.dat 0/42 (clean)

Also, regarding the problem involving the blue screen, I managed to get some info about it. When I rebooted my computer (for OTL) I got the blue sceen and managed to find out some stuff. the file is usbhub.sys and the address (at least the start of it) is 8F8AC9. Note: I forgot to mention earlier that I have had this problem for a while.

OTL Report:
Spoiler



ComboFix.txt:
Spoiler

Edited by mcdonn123, 28 May 2011 - 05:18 PM.


#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 29 May 2011 - 09:42 AM

Hi!

The .skb files are backup document files from Google SketchUp (I don't know why it puts the files there though). Here are the results:

Thanks for that information.

Also, regarding the problem involving the blue screen, I managed to get some info about it. When I rebooted my computer (for OTL) I got the blue sceen and managed to find out some stuff. the file is usbhub.sys and the address (at least the start of it) is 8F8AC9. Note: I forgot to mention earlier that I have had this problem for a while.

Did you have this issue before you got infected?

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Suspect::[102]
c:\users\Circuit City\AppData\Roaming\i0crukjk.default.tmp
File::
c:\windows\System32\drivers\tbeccb.sys

Folder::
C:\xmldm
C:\kock
c:\users\Circuit City\AppData\Roaming\xmldm
c:\users\Circuit City\AppData\Roaming\kock

Driver::
mqurgp

DDS::
TCP: Interfaces\{150B3CEB-DFED-42CE-A220-114CBE1A05B7}: NameServer = 93.188.165.204,93.188.160.175
TCP: Interfaces\{4129B5DC-99F9-495A-8760-E0646DEAD679}: NameServer = 93.188.165.204,93.188.160.175

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



What issues are you currently experiencing?

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 29 May 2011 - 10:14 AM

Yes, I do believe I have had the problem regarding the blue screen before I got infected.

Update:
While browsing the internet, another one of those false "virus scans". However, I suspect that it wasn't the website as I have been to the website numerous times and know it isn't malicious. The name of the fake virus program is Vista Security [something] (I forgot the last part), but the .exe it ran from was C:\Users\Circuit City\AppData\Local\nyw.exe. Again when opening a .exe file, I got the "open with" prompt (which was fixed for a while)

Knowing this, is it still safe to use ComboFix and TDSSKiller? I have updated reports from OTL, DDS, and RkU; and can post them if you would like.


#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 29 May 2011 - 10:28 AM

Please proceed with running the ComboFix and TDSSKiller instructions.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 29 May 2011 - 12:11 PM

Malewarebytes would not update (same error as before "PROGRAM_ERROR_UPDATING (12007, 0, WinHttpSendRequest"). Here are the reports:

ComboFix Report
Spoiler


TDSSKiller Report
Spoiler


NOTE: The .exe files work again

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 29 May 2011 - 12:32 PM

Try to do this and then attempt to update MBAM.

Please go to Start > Control Panel > Network Connections
Select your Local Network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window titled Internet Protocol (TCP/IP) Properties.

Click on Use the following DNS server addresses:
Preferred DNS server: 8.8.8.8
Alternate DNS server: 8.8.4.4

Click OK.



NEXT:



Flush DNS
  • Now go to Start > Run > type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.


Reboot your computer and see how things are working after doing the above.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 29 May 2011 - 01:23 PM

It turns out, the reason why it wouldn't update is because my DNS settings were not automatically retrieved... lol problem fixed!

MBAM Log
Spoiler


#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:00 PM

Posted 29 May 2011 - 01:28 PM

Run a scan with MBAM again.

Followed by these scans:


ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • When the Computer scan settings display shows, click the Advanced option, the place a check next to the following (if it is not already checked):
    • Enable Anti-Stealth technology
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:


Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 mcdonn123

mcdonn123
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:00 PM

Posted 29 May 2011 - 06:38 PM

MBAM Scan
Spoiler


ESET Report
Spoiler

NOTE: WarRock is not maleware. The reason it shows up is because of the anti-cheating tool it uses when connecting online.

Security Check Report
Spoiler





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users