Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Security Protection" popup + google redirect


  • Please log in to reply
9 replies to this topic

#1 vile whale

vile whale

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 23 August 2011 - 10:25 AM

Thanks so much everyone.

I started getting a "Security Protection" popup virus a few days ago. When I tried to run malwarebytes, etc. the virus would shut them down and not allow me to reopen them or delete them from the desktop. Now my desktop is littered with dozens of icons. If I try to delete or rereun a shut down program, I get a message saying I do not have permission to do this. I posted here http://www.bleepingcomputer.com/forums/topic415501.html) and received help, but nothing was working. The poster told me to start a topic here.



I was able to run DDS, though. Here are the logs:

DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Owner at 10:32:45 on 2011-08-23
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.399 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\1264037039:1347659956.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\status~1.lnk - c:\program files\brother\brmfcmon\BrMfcWnd.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{051B72A0-86FC-49D3-8187-DEA836AAFF04} : DhcpNameServer = 192.168.15.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\tam4d334.default\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=07302c9c4fb0fcd5a16e8f0431f3fa50
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg8\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-29 218592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-20 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-20 108552]
R1 SASDIFSV;SASDIFSV;c:\docume~1\owner\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\docume~1\owner\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-28 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-9-10 112592]
S2 gupdate1ca4ce1aeab4299;Google Update Service (gupdate1ca4ce1aeab4299);c:\program files\google\update\GoogleUpdate.exe [2009-10-14 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-14 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-9-10 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-9-10 1142224]
.
=============== Created Last 30 ================
.
2011-08-21 22:49:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-21 22:49:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-21 22:49:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-21 20:44:02 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-08-21 20:43:08 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-21 18:53:27 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-08-21 18:53:27 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-16 21:09:17 24 ----a-w- c:\windows\SW_Win9423X24.DLL
2011-08-16 21:09:12 244416 ----a-w- c:\windows\system32\Msflxgrd.ocx
2011-08-16 21:09:10 -------- d-----w- c:\program files\Softinterface, Inc
2011-08-16 21:03:22 -------- d-----w- c:\program files\Xenocode
2011-08-16 21:03:22 -------- d-----w- c:\documents and settings\owner\local settings\application data\Xenocode
2011-08-10 23:39:38 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 23:38:25 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-12-04 02:25:26 19985265 ----a-w- c:\program files\vlc-1.1.5-win32.exe
.
============= FINISH: 10:34:09.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 23 August 2011 - 01:12 PM

Hello vile whale ,

Posted Image

I read your other topic. :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to whale.com and try again. If it still won't, then try it in safe mode. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 23 August 2011 - 01:40 PM

I disabled my AVG 8.5 free "Resident Shield" and renamed Combofix to Whalez.com and the program disappeared when it was about halfway done. The same thing happened in safe mode.

#4 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 23 August 2011 - 03:47 PM

Update: after renaming Combofix several times and disabling my firewall I was able to run the program. The computer restarted several times and the program gave me a message that said: "Combofix-ZeroAccess

You are infected with Rootkit.zeroaccess! It has inserted itself into the tcp/ip stack." Combofix rebooted the computer and then windows gave me a message that Spooler System App encountered a problem and had to close. On the next reboot I got the same message about PVC.exe encountering a problem and closing. Below is my log:







ComboFix 11-08-23.05 - Owner 08/23/2011 16:02:36.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -4:00]
Running from: F:\bleeping.tv.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB1816$
c:\windows\$NtUninstallKB1816$\2947307339\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB1816$\2947307339\click.tlb
c:\windows\$NtUninstallKB1816$\2947307339\L\eiaehqnu
c:\windows\$NtUninstallKB1816$\2947307339\loader.tlb
c:\windows\$NtUninstallKB1816$\2947307339\U\$000000c0
c:\windows\$NtUninstallKB1816$\2947307339\U\$000000cb
c:\windows\$NtUninstallKB1816$\2947307339\U\@00000001
c:\windows\$NtUninstallKB1816$\2947307339\U\@000000c0
c:\windows\$NtUninstallKB1816$\2947307339\U\@000000cb
c:\windows\$NtUninstallKB1816$\2947307339\U\@000000cf
c:\windows\$NtUninstallKB1816$\2947307339\U\@80000000
c:\windows\$NtUninstallKB1816$\2947307339\U\@800000c0
c:\windows\$NtUninstallKB1816$\2947307339\U\@800000cb
c:\windows\$NtUninstallKB1816$\2947307339\U\@800000cf
c:\windows\$NtUninstallKB1816$\3718539436
c:\windows\SW_Win9423X24.DLL
c:\windows\system32\c_85244.nls
.
Infected copy of c:\windows\system32\Drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_afac574b
.
.
((((((((((((((((((((((((( Files Created from 2011-07-23 to 2011-08-23 )))))))))))))))))))))))))))))))
.
.
2011-08-23 19:54 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-23 19:48 . 2011-08-23 19:49 -------- d-----w- C:\bleeping.tv
2011-08-23 19:45 . 2011-08-23 19:48 -------- d-----w- C:\bigloader.org
2011-08-21 22:49 . 2011-07-08 11:55 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-21 22:49 . 2011-08-22 23:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-21 22:49 . 2011-07-08 11:55 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-21 20:44 . 2011-08-21 20:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2011-08-21 20:43 . 2011-08-21 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-21 18:53 . 2011-08-21 18:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-08-20 19:52 . 2011-08-21 18:53 -------- d-s---w- c:\documents and settings\new1
2011-08-20 16:37 . 2011-08-20 16:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-08-20 16:36 . 2011-08-20 16:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-20 16:34 . 2011-08-20 16:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-08-16 21:09 . 2000-05-22 05:00 244416 ----a-w- c:\windows\system32\Msflxgrd.ocx
2011-08-16 21:09 . 2011-08-16 21:09 -------- d-----w- c:\program files\Softinterface, Inc
2011-08-16 21:03 . 2011-08-16 21:03 -------- d-----w- c:\program files\Xenocode
2011-08-16 21:03 . 2011-08-16 21:03 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Xenocode
2011-08-10 23:39 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 23:38 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2003-12-02 06:22 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2010-12-04 02:25 . 2010-12-04 02:24 19985265 ----a-w- c:\program files\vlc-1.1.5-win32.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-11 2048352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-21 198160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2011-4-2 1085440]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:06 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
2009-05-19 05:23 49968 ----a-w- c:\program files\AIM6\aim6.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2008-04-11 18:13 1085440 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-21 21:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-09-16 20:04 1164584 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-22 03:44 126976 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 03:48 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2007-10-11 23:01 46368 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 17:39 292136 -c--a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2007-10-11 23:03 29984 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 18:42 1404928 -c--a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-05-21 00:01 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LexBceS"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ERSvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Tor Browser\\App\\tor.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\Tor Browser\\FirefoxPortable\\App\\Firefox\\tbb-firefox.exe"=
"c:\\Program Files\\DivX\\DivX Update\\DivXUpdate.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\SUPERAntiSpyware.exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\SUPERAntiSpyware(2).exe"=
"c:\\Documents and Settings\\Owner\\My Documents\\Downloads\\SUPERAntiSpyware(4).exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\666.com.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"f:\\teedeeessk.com"=
"f:\\tdsskiller.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\baby.com"=
"c:\\Documents and Settings\\Owner\\Desktop\\fuk.com"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\999.com"=
"c:\\Documents and Settings\\Administrator\\Desktop\\tdsskiller.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/29/2010 3:06 PM 218592]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 6:13 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 6:13 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/28/2009 9:06 AM 297752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [9/10/2010 5:42 PM 112592]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\Owner\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 gupdate1ca4ce1aeab4299;Google Update Service (gupdate1ca4ce1aeab4299);c:\program files\Google\Update\GoogleUpdate.exe [10/14/2009 11:19 AM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/14/2009 11:19 AM 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [9/10/2010 3:39 PM 366840]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 15:19]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-14 15:19]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tam4d334.default\
FF - prefs.js: browser.search.selectedEngine - Startpage HTTPS
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=07302c9c4fb0fcd5a16e8f0431f3fa50
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\AVG\AVG8\Firefox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
SafeBoot-AVG Anti-Spyware Guard
MSConfigStartUp-Dell AIO Printer A920 - c:\program files\Dell AIO Printer A920\dlbkbmgr.exe
AddRemove-AVGAntiSpyware75 - c:\program files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-23 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3136)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2011-08-23 16:30:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-23 20:29
.
Pre-Run: 45,081,747,456 bytes free
Post-Run: 45,987,655,680 bytes free
.
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 166F8CA7EE6A11B176C0D5FFC358C1E9

Edited by vile whale, 23 August 2011 - 03:54 PM.


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 23 August 2011 - 06:20 PM

Hello,

Fabulous job! :thumbsup: I know these are frustrating, and great that you stuck with it until it ran. How is it running now please? Have a quick scan with MBAM and post that in your reply also, please.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 23 August 2011 - 07:14 PM

Malwarebytes says no malicious items were detected. It seems like the redirects are gone too.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7548

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2011 8:06:19 PM
mbam-log-2011-08-23 (20-06-18).txt

Scan type: Quick scan
Objects scanned: 174134
Time elapsed: 11 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by vile whale, 23 August 2011 - 07:16 PM.


#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 23 August 2011 - 07:57 PM

If you would, please, go back to your original post and let me know if all those problems are gone....ie.....icons, programs opening, etc.....

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 23 August 2011 - 08:03 PM

The Security Protection popup and redirects are gone. I assume I can run .exe programs now, too. I still don't have "permission" to delete the icons on the desktop that the virus kept shutting down.

Also, the computer seems to be running slower than normal. Streaming video skips, which it didn't used to do.

Edited by vile whale, 24 August 2011 - 11:52 AM.


#9 vile whale

vile whale
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 24 August 2011 - 01:35 PM

It's back!!!!!!!! Security Protection popup virus just showed up on my computer. I don't know why--I haven't done anything but watch the news. Could it be the usb drive i left plugged in? Also the keyboard wont work in safemode. . the virus wont let me open my web browser in reg. mode

Edited by vile whale, 24 August 2011 - 01:55 PM.


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:17 PM

Posted 24 August 2011 - 03:50 PM

Hello,

Try running ComboFix in normal mode for me, please. Make sure any protection software is disabled or temporarily uninstalled. And yes, your USB could be the problem. If you think this is a strong possibility and you don't have anything of real value on it, then reformat it. Please post the ComboFix report in your reply. :thumbup2:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users