Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\Windows\TEMP\IswTmp\WH\0 (malware)


  • Please log in to reply
25 replies to this topic

#1 MusiCALpuLLtoy

MusiCALpuLLtoy

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 22 April 2013 - 03:40 AM

Mod EDit: Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~ boopme


hello,
am new here but not new to to bugs
im not sure when i got it but started looking after i noticed AVD disappeared from tray, replaced it, then Zonealarm dissapeared from tray about a week ago replaced them and went on.
 
then browsers started slowing down couple days ago,  computer froze 1 window at a time, the battle begun...
i dearched the files then these web forums.  AVG ,  Malwarebytes , etc nothing cleans it
 they just found the usual manageble bugs.
 
found 
http://www.bleepingcomputer.com/forums/t/456787/issues-with-ie-mywebsearch/
this is almost identical
 
ran the tools youll fnd below. 1 tried to a MBR fix from 
"www.dell.comCannot restore
Loading PBR for descriptor 1... done.
failed.
Bad flag
0 active partitions
Bad PBR"
 
 
RogueKiller  deleted these 
 
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{D3C8F517-0E02-41EF-88B6-50CFBAF7D6D0} : NameServer (68.105.28.11,68.105.28.12,68.105.29.12) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
Thank you Bill
 
 
heres what we're fighting
 
"Malware Hash Registry (Team Cymru):"
"filesize=59012725,md5=D651BE36CCFCAAC324185B7B7BD17C92"
 
found it hideing in a word doc with fileanalizer2
theres several, it  replicates.
Windows XP Home Edition
OS Service Pack Service Pack 3
CPU Type Intel Celeron D 325, 2533 MHz (19 x 133)
Motherboard Name Dell Dell DE051
Motherboard Chipset Intel Morgan Hill i865GV
 
 
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-04-21 00:23:25
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST340014A rev.8.16 37.25GB
Running: 6uw9u0iu.exe; Driver: C:\DOCUME~1\DAD\LOCALS~1\Temp\kxlyapog.sys


---- Devices - GMER 2.1 ----

AttachedDevice fltmgr.sys

Device ACPI.sys
Device B9621D20
Device InCDFs.sys
Device mrxsmb.sys
.text ...

---- Disk sectors - GMER 2.1 ----

Disk \Device\Harddisk0\DR0 unknown MBR code

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys

Device \Driver\Tcpip \Device\Ip vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

Device \Driver\Tcpip \Device\RawIp vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys

Device \Driver\Tcpip \Device\Tcp vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys

Device \Driver\Tcpip \Device\Udp vsdatant.sys

---- System - GMER 2.1 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xF7AA25D0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xF7AA2700]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xF7AA2300]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xF7AA23E0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xF7AA2210]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xF7AA24D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xED550558]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xED4ECABC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xED4ED034]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xED4ECF1A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xED4ED154]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0xED513B70]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xED552BB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xED552378]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xED4ECB00]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xED4FE9C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xED4FF358]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xED513B90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xED4ED0CA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xED4ECFAA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xED55385A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xED4ED1EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0xED513B80]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xED4FD804]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xED4FEFC6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xED502320]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xED4FEDBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xED55325C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xED503F84]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xED503E12]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xED503EC8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xED552F88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xED4FDC88]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xED4FDE1E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xED4FDFBA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xED5530E4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xED4ED274]
SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xED5539C2]
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort [0xEB54135A]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile [0xEB53B5F8]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey [0xEB55A864]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort [0xEB541AE6]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess [0xEB554FD2]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx [0xEB5553C0]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection [0xEB55EB44]
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort [0xEB541C1C]
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile [0xEB53C20E]
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey [0xEB55C1AA]
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey [0xEB55BAC4]
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject [0xEB553F0E]
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver [0xEB536F1C]
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey [0xEB55CBB4]
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey2 [0xEB55CDBC]
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile [0xEB53BE20]
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess [0xEB5572DA]
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread [0xEB556F04]
SSDT \SystemRoot\System32\vsdatant.sys ZwProtectVirtualMemory [0xEB56B570]
SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey [0xEB55DB4A]
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey [0xEB55D480]
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort [0xEB540F28]
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey [0xEB55E51C]
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort [0xEB541602]
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile [0xEB53C5D2]
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationObject [0xEB56B45C]
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSecurityObject [0xEB55E08A]
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation [0xEB5366DC]
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey [0xEB55B24C]
SSDT \SystemRoot\System32\vsdatant.sys ZwSystemDebugControl [0xEB556028]
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess [0xEB555DA4]
SSDT \SystemRoot\System32\vsdatant.sys ZwUnloadDriver [0xEB537330]

---- Kernel code sections - GMER 2.1 ----

? C:\DOCUME~1\DAD\LOCALS~1\Temp\mbr.sys The filename, directory name, or volume label syntax is incorrect. !

---- User code sections - GMER 2.1 ----

.text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[1768] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20CC9266 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[356] USER32.dll!DefDlgProcW + 56E 7E4242A8 5 Bytes JMP 20CC9266 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

---- Kernel code sections - GMER 2.1 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6C04F80]

---- User code sections - GMER 2.1 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[812] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL

---- Kernel code sections - GMER 2.1 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [E6, 1A, 54, EB, D2, 4F, 55, ...]
.text ntoskrnl.exe!_abnormal_termination + 114 804E2780 16 Bytes [44, EB, 55, EB, 54, D1, 4E, ...] {INC ESP; JMP 0x58; JMP 0x59; ROR DWORD [ESI-0x13], 0x1; JO 0x45; PUSH ECX; IN EAX, DX; MOV DL, 0x2b; PUSH EBP; IN EAX, DX}
.text ntoskrnl.exe!_abnormal_termination + 168 804E27D4 4 Bytes [C4, E9, 4F, ED]
.text ntoskrnl.exe!_abnormal_termination + 1D0 804E283C 12 Bytes [1C, 6F, 53, EB, B4, CB, 55, ...]
.text ntoskrnl.exe!_abnormal_termination + 271 804E28DD 3 Bytes [B5, 56, EB]

---- EOF - GMER 2.1 ----
 
 
RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : DAD [Admin rights]
Mode : Scan -- Date : 04/21/2013 12:01:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{D3C8F517-0E02-41EF-88B6-50CFBAF7D6D0} : NameServer (68.105.28.11,68.105.28.12,68.105.29.12) -> FOUND
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST340014A +++++
--- User ---
[MBR] cc99746514f4558c51e041043235aa2e
[BSP] 26fe7d691f9edb5d824e85e8f49dc627 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 31 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 64260 | Size: 35032 Mo
2 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 71810550 | Size: 3074 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3250824A +++++
--- User ---
[MBR] 31c2150f1ffc7ccd7c8254adb0abdf2c
[BSP] 31b80ea6a1ae3cb32fb126e99812af9c : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_04212013_02d1201.txt >>
RKreport[1]_S_04212013_02d1201.txt


 
 
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:06:21 PM, on 4/21/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2013\avgwdsvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\AVG\AVG2013\avgui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\AVG\AVG2013\avgidsagent.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AVG\AVG2013\avgnsx.exe
C:\Program Files\AVG\AVG2013\avgrsx.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\AVG\AVG2013\avgcsrvx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Documents and Settings\DAD\Desktop\MEJASCKTHIS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Task Catcher] C:\Program Files\BillP Studios\Task Catcher\tasktrap.exe
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1246219383859
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.13.0.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
O23 - Service: DCService.exe - Unknown owner - C:\Documents and Settings\All Users\Application Data\DatacardService\DCService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony PC Companion - Avanquest Software - C:\Program Files\Sony\Sony PC Companion\PCCService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 8210 bytes

Edited by boopme, 22 April 2013 - 12:08 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 23 April 2013 - 07:41 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:


Posted Image
m0le is a proud member of UNITE

#3 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 23 April 2013 - 11:29 PM

hello

awaiting your command  :blink:



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 24 April 2013 - 08:11 PM

Let's see if we can find anything else

 

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.

  • Click on Search.

  • A logfile will automatically open after the scan has finished.

  • Please post the contents of that logfile with your next reply.

  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

 


Posted Image
m0le is a proud member of UNITE

#5 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 24 April 2013 - 11:09 PM

there you go... 

 

 

# AdwCleaner v2.202 - Logfile created 04/24/2013 at 21:01:35
# Updated 23/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : DAD - DJJXF091
# Boot Mode : Normal
# Running from : C:\Documents and Settings\DAD\Desktop\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\Conduit.xml
File Found : C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\searchplugins\MyStart Search.xml
Folder Found : C:\Documents and Settings\All Users\Application Data\InstallMate
Folder Found : C:\Documents and Settings\DAD\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla

***** [Registry] *****

Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\grusskartencenter.com
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\grusskartencenter.com
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\SOFTWARE\Classes\AppID\{A7DDCBDE-5C86-415C-8A37-763AE183E7E4}
Key Found : HKLM\SOFTWARE\Classes\AppID\WMHelper.DLL
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{27BF8F8D-58B8-D41C-F913-B7EEB57EF6F6}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B37B4BA6-334E-72C1-B57E-6AFE8F8A5AF3}
Key Found : HKLM\SOFTWARE\Classes\Interface\{B77AD4AC-C1C2-B293-7737-71E13A11FFEA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E773F2CF-5E6E-FF2B-81A1-AC581A26B2B2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2319576
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2878731
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2903595
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{96F7FABC-5789-EFA4-B6ED-1272F4C1D27B}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla
Key Found : HKLM\Software\ImInstaller
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966
Key Found : HKLM\Software\Viewpoint
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v3.6.12 (en-US)

File : C:\Documents and Settings\DAD\Application Data\Mozilla\Firefox\Profiles\fn2dlw99.default\prefs.js

Found : user_pref("CT2645238..clientLogIsEnabled", true);
Found : user_pref("CT2645238..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Found : user_pref("CT2645238..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Found : user_pref("CT2645238.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Found : user_pref("CT2645238.AppTrackingLastCheckTime", "Thu Mar 31 2011 00:48:16 GMT-0700 (US Mountain Stan[...]
Found : user_pref("CT2645238.CTID", "ct2645238");
Found : user_pref("CT2645238.CurrentServerDate", "17-5-2011");
Found : user_pref("CT2645238.DialogsAlignMode", "LTR");
Found : user_pref("CT2645238.DialogsGetterLastCheckTime", "Thu Mar 31 2011 00:48:29 GMT-0700 (US Mountain St[...]
Found : user_pref("CT2645238.DownloadReferralCookieData", "");
Found : user_pref("CT2645238.EMailNotifierPollDate", "Mon May 16 2011 17:24:48 GMT-0700 (US Mountain Standar[...]
Found : user_pref("CT2645238.FirstServerDate", "31-3-2011");
Found : user_pref("CT2645238.FirstTime", true);
Found : user_pref("CT2645238.FirstTimeFF3", true);
Found : user_pref("CT2645238.FixPageNotFoundErrors", true);
Found : user_pref("CT2645238.GroupingServerCheckInterval", 1440);
Found : user_pref("CT2645238.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Found : user_pref("CT2645238.HasUserGlobalKeys", true);
Found : user_pref("CT2645238.Initialize", true);
Found : user_pref("CT2645238.InitializeCommonPrefs", true);
Found : user_pref("CT2645238.InstallationAndCookieDataSentCount", 3);
Found : user_pref("CT2645238.InstallationType", "UnknownIntegration");
Found : user_pref("CT2645238.InstalledDate", "Thu Mar 31 2011 00:48:02 GMT-0700 (US Mountain Standard Time)"[...]
Found : user_pref("CT2645238.IsGrouping", false);
Found : user_pref("CT2645238.IsMulticommunity", false);
Found : user_pref("CT2645238.IsOpenThankYouPage", false);
Found : user_pref("CT2645238.IsOpenUninstallPage", false);
Found : user_pref("CT2645238.LanguagePackLastCheckTime", "Thu Mar 31 2011 00:48:08 GMT-0700 (US Mountain Sta[...]
Found : user_pref("CT2645238.LanguagePackReloadIntervalMM", 1440);
Found : user_pref("CT2645238.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Found : user_pref("CT2645238.LastLogin_3.3.3.2", "Mon May 16 2011 17:24:50 GMT-0700 (US Mountain Standard Ti[...]
Found : user_pref("CT2645238.LatestVersion", "3.3.3.2");
Found : user_pref("CT2645238.Locale", "en");
Found : user_pref("CT2645238.MCDetectTooltipHeight", "83");
Found : user_pref("CT2645238.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Found : user_pref("CT2645238.MCDetectTooltipWidth", "295");
Found : user_pref("CT2645238.SavedHomepage", "resource:/browserconfig.properties");
Found : user_pref("CT2645238.SearchFromAddressBarIsInit", true);
Found : user_pref("CT2645238.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT264[...]
Found : user_pref("CT2645238.SearchInNewTabEnabled", true);
Found : user_pref("CT2645238.SearchInNewTabIntervalMM", 1440);
Found : user_pref("CT2645238.SearchInNewTabLastCheckTime", "Thu Mar 31 2011 00:48:06 GMT-0700 (US Mountain S[...]
Found : user_pref("CT2645238.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Found : user_pref("CT2645238.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageServic[...]
Found : user_pref("CT2645238.ServiceMapLastCheckTime", "Mon May 16 2011 17:24:47 GMT-0700 (US Mountain Stand[...]
Found : user_pref("CT2645238.SettingsLastCheckTime", "Thu Mar 31 2011 00:48:01 GMT-0700 (US Mountain Standar[...]
Found : user_pref("CT2645238.SettingsLastUpdate", "1299582128");
Found : user_pref("CT2645238.ThirdPartyComponentsInterval", 504);
Found : user_pref("CT2645238.ThirdPartyComponentsLastCheck", "Thu Mar 31 2011 00:48:00 GMT-0700 (US Mountain[...]
Found : user_pref("CT2645238.ThirdPartyComponentsLastUpdate", "1246790578");
Found : user_pref("CT2645238.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2645238");
Found : user_pref("CT2645238.Uninstall", true);
Found : user_pref("CT2645238.UserID", "UN13054916785373663");
Found : user_pref("CT2645238.alertChannelId", "1037922");
Found : user_pref("CT2645238.ct2645238.AppTrackingLastCheckTime", "Mon May 16 2011 17:25:01 GMT-0700 (US Mou[...]
Found : user_pref("CT2645238.ct2645238.DialogsAlignMode", "LTR");
Found : user_pref("CT2645238.ct2645238.LanguagePackLastCheckTime", "Mon May 16 2011 17:24:49 GMT-0700 (US Mo[...]
Found : user_pref("CT2645238.ct2645238.Locale", "en");
Found : user_pref("CT2645238.ct2645238.SearchInNewTabLastCheckTime", "Mon May 16 2011 17:24:49 GMT-0700 (US [...]
Found : user_pref("CT2645238.ct2645238.SettingsLastCheckTime", "Mon May 16 2011 17:24:47 GMT-0700 (US Mounta[...]
Found : user_pref("CT2645238.ct2645238.SettingsLastUpdate", "1304004054");
Found : user_pref("CT2645238.ct2645238.ThirdPartyComponentsLastCheck", "Mon May 16 2011 17:24:46 GMT-0700 (U[...]
Found : user_pref("CT2645238.ct2645238.ThirdPartyComponentsLastUpdate", "1246790578");
Found : user_pref("CT2645238.ct2645238.globalFirstTimeInfoLastCheckTime", "Mon May 16 2011 17:24:53 GMT-0700[...]
Found : user_pref("CT2645238.ct2645238.toolbarAppMetaDataLastCheckTime", "Mon May 16 2011 17:24:49 GMT-0700 [...]
Found : user_pref("CT2645238.ct2645238.toolbarContextMenuLastCheckTime", "Thu Mar 31 2011 00:48:12 GMT-0700 [...]
Found : user_pref("CT2645238.generalConfigFromLogin", "{\"SocialDomains\":\"social.conduit.com;apps.conduit.[...]
Found : user_pref("CT2645238.globalFirstTimeInfoLastCheckTime", "Thu Mar 31 2011 00:48:03 GMT-0700 (US Mount[...]
Found : user_pref("CT2645238.isAppTrackingManagerOn", true);
Found : user_pref("CT2645238.myStuffEnabled", true);
Found : user_pref("CT2645238.myStuffPublihserMinWidth", 400);
Found : user_pref("CT2645238.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Found : user_pref("CT2645238.myStuffServiceIntervalMM", 1440);
Found : user_pref("CT2645238.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Found : user_pref("CT2645238.oldAppsList", "129194820424161790,129194820424318041,129194820424474292,1291948[...]
Found : user_pref("CT2645238.testingCtid", "");
Found : user_pref("CT2645238.toolbarAppMetaDataLastCheckTime", "Thu Mar 31 2011 00:48:03 GMT-0700 (US Mounta[...]
Found : user_pref("CT2645238.toolbarContextMenuLastCheckTime", "Thu Mar 31 2011 00:48:11 GMT-0700 (US Mounta[...]
Found : user_pref("CT2878731..clientLogIsEnabled", true);
Found : user_pref("CT2878731..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Found : user_pref("CT2878731..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Found : user_pref("CT2878731.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Found : user_pref("CT2878731.CurrentServerDate", "28-8-2011");
Found : user_pref("CT2878731.DialogsAlignMode", "LTR");
Found : user_pref("CT2878731.DownloadReferralCookieData", "");
Found : user_pref("CT2878731.FirstServerDate", "28-8-2011");
Found : user_pref("CT2878731.FirstTimeFF3", true);
Found : user_pref("CT2878731.GroupingServerCheckInterval", 1440);
Found : user_pref("CT2878731.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Found : user_pref("CT2878731.HasUserGlobalKeys", true);
Found : user_pref("CT2878731.InstallationAndCookieDataSentCount", 1);
Found : user_pref("CT2878731.InstallationType", "ConduitIntegration");
Found : user_pref("CT2878731.IsGrouping", true);
Found : user_pref("CT2878731.LanguagePackLastCheckTime", "Sat Aug 27 2011 15:26:12 GMT-0700 (US Mountain Sta[...]
Found : user_pref("CT2878731.LanguagePackReloadIntervalMM", 1440);
Found : user_pref("CT2878731.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Found : user_pref("CT2878731.LastLogin_3.2.5.2", "Sat Aug 27 2011 15:26:12 GMT-0700 (US Mountain Standard Ti[...]
Found : user_pref("CT2878731.LatestVersion", "3.6.0.10");
Found : user_pref("CT2878731.Locale", "en");
Found : user_pref("CT2878731.MCDetectTooltipHeight", "83");
Found : user_pref("CT2878731.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Found : user_pref("CT2878731.MCDetectTooltipWidth", "295");
Found : user_pref("CT2878731.SearchInNewTabEnabled", true);
Found : user_pref("CT2878731.SearchInNewTabIntervalMM", 1440);
Found : user_pref("CT2878731.SearchInNewTabLastCheckTime", "Sat Aug 27 2011 15:26:12 GMT-0700 (US Mountain S[...]
Found : user_pref("CT2878731.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Found : user_pref("CT2878731.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageServic[...]
Found : user_pref("CT2878731.ServiceMapLastCheckTime", "Sat Aug 27 2011 15:26:08 GMT-0700 (US Mountain Stand[...]
Found : user_pref("CT2878731.SettingsLastCheckTime", "Sat Aug 27 2011 15:26:08 GMT-0700 (US Mountain Standar[...]
Found : user_pref("CT2878731.SettingsLastUpdate", "1314028851");
Found : user_pref("CT2878731.ThirdPartyComponentsInterval", 504);
Found : user_pref("CT2878731.ThirdPartyComponentsLastCheck", "Sat Aug 27 2011 15:26:08 GMT-0700 (US Mountain[...]
Found : user_pref("CT2878731.ThirdPartyComponentsLastUpdate", "1312887586");
Found : user_pref("CT2878731.TrusteLinkUrl", "hxxp://trust.conduit.com/EB_ORIGINAL_CTID");
Found : user_pref("CT2878731.Uninstall", true);
Found : user_pref("CT2878731.UserID", "UN36135463362064324");
Found : user_pref("CT2878731.myStuffEnabled", true);
Found : user_pref("CT2878731.myStuffPublihserMinWidth", 400);
Found : user_pref("CT2878731.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Found : user_pref("CT2878731.myStuffServiceIntervalMM", 1440);
Found : user_pref("CT2878731.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Found : user_pref("CT2878731.testingCtid", "");
Found : user_pref("CT2878731.toolbarAppMetaDataLastCheckTime", "Sat Aug 27 2011 15:26:09 GMT-0700 (US Mounta[...]
Found : user_pref("CT2878731.toolbarContextMenuLastCheckTime", "Sat Aug 27 2011 15:26:13 GMT-0700 (US Mounta[...]
Found : user_pref("CommunityToolbar.CantToolbarBeEngineOwner", "CT2645238");
Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1037922/1033633/US", "\"0\"[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/US", "\"0\"")[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2645238", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2878731", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=ct2645238", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.3.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2645238",[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/", "\"63448574918953[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2878731&octid=[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2645238/CT2645238[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/ct2645238/CT2645238[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/38/264/CT2645238/Images/6340849608501725[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en", "\"634[...]
Found : user_pref("CommunityToolbar.EngineOwner", "CT2878731");
Found : user_pref("CommunityToolbar.EngineOwnerGuid", "{90eee664-34b1-422a-a782-779af65cdf6d}");
Found : user_pref("CommunityToolbar.IsMyStuffImportedToEngine", true);
Found : user_pref("CommunityToolbar.OriginalEngineOwner", "CT2878731");
Found : user_pref("CommunityToolbar.OriginalEngineOwnerGuid", "{90eee664-34b1-422a-a782-779af65cdf6d}");
Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr[...]
Found : user_pref("CommunityToolbar.ToolbarsList", "CT2645238");
Found : user_pref("CommunityToolbar.ToolbarsList2", "CT2645238");
Found : user_pref("CommunityToolbar.alert.alertDialogsGetterLastCheckTime", "Thu Mar 31 2011 00:48:04 GMT-07[...]
Found : user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);
Found : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Sat Aug 27 2011 07:14:30 GMT-0700 (US Mo[...]
Found : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Found : user_pref("CommunityToolbar.alert.locale", "en");
Found : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Found : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Sat Aug 27 2011 15:20:10 GMT-0700 (US Mounta[...]
Found : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1313487611");
Found : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Found : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Found : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Found : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Found : user_pref("CommunityToolbar.alert.userId", "9be6a182-477b-43c9-8209-6e243a25aa82");
Found : user_pref("CommunityToolbar.facebook.settingsLastCheckTime", "Mon May 16 2011 17:24:49 GMT-0700 (US [...]
Found : user_pref("CommunityToolbar.globalUserId", "5d47160d-58d3-45ed-b087-ffd53dd08816");
Found : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2645238");
Found : user_pref("browser.search.defaultthis.engineName", "ZoneAlarm Security Customized Web Search");

-\\ Google Chrome v13.0.782.215

File : C:\Documents and Settings\DAD\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

-\\ Opera v12.14.1738.0

File : C:\Documents and Settings\DAD\Application Data\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [19572 octets] - [24/04/2013 21:01:36]

########## EOF - C:\AdwCleaner[R1].txt - [19633 octets] ##########



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 25 April 2013 - 06:11 PM

We're going to follow up the Gmer log with another rootkit scan

 

Please download aswMBR ( 511KB ) to your desktop.

  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


Posted Image
m0le is a proud member of UNITE

#7 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 26 April 2013 - 09:18 AM

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-03 04:04:03
-----------------------------
04:04:03.625 OS Version: Windows 5.1.2600 Service Pack 3
04:04:03.625 Number of processors: 1 586 0x401
04:04:03.625 ComputerName: DJJXF091 UserName: DAD
04:04:06.421 Initialize success
04:04:18.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
04:04:18.781 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
04:04:18.781 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
04:04:18.781 Disk 1 Vendor: ST3250824A 3.AAE Size: 238475MB BusType: 3
04:04:18.921 Disk 0 MBR read successfully
04:04:18.921 Disk 0 MBR scan
04:04:18.921 Disk 0 unknown MBR code
04:04:18.921 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 31 MB offset 63
04:04:18.921 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 35032 MB offset 64260
04:04:18.937 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3074 MB offset 71810550
04:04:18.953 Disk 0 scanning sectors +78108030
04:04:19.109 Disk 0 scanning C:\WINDOWS\system32\drivers
04:04:34.500 Service scanning
04:05:07.234 Modules scanning
04:05:39.625 Disk 0 trace - called modules:
04:05:39.656 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
04:05:39.656 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x877431f0]
04:05:39.656 3 CLASSPNP.SYS[f7889fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x877deb00]
04:05:39.671 Scan finished successfully
04:06:00.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DAD\Desktop\MBR.dat"
04:06:00.140 The log file has been saved successfully to "C:\Documents and Settings\DAD\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-21 18:23:59
-----------------------------
18:23:59.546 OS Version: Windows 5.1.2600 Service Pack 3
18:23:59.546 Number of processors: 1 586 0x401
18:23:59.546 ComputerName: DJJXF091 UserName: DAD
18:24:13.015 Initialize success
18:41:38.734 AVAST engine defs: 13042101
18:42:24.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
18:42:24.859 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
18:42:24.875 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
18:42:24.937 Disk 1 Vendor: ST3250824A 3.AAE Size: 238475MB BusType: 3
18:42:25.750 Disk 0 MBR read successfully
18:42:25.750 Disk 0 MBR scan
18:42:25.906 Disk 0 unknown MBR code
18:42:25.921 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 31 MB offset 63
18:42:25.968 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 35032 MB offset 64260
18:42:26.000 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3074 MB offset 71810550
18:42:26.218 Disk 0 scanning sectors +78108030
18:42:26.796 Disk 0 scanning C:\WINDOWS\system32\drivers
18:44:19.781 Service scanning
18:46:13.093 Modules scanning
18:47:32.484 Disk 0 trace - called modules:
18:47:32.515 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
18:47:32.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x877831f0]
18:47:32.531 3 CLASSPNP.SYS[f7809fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x877a5d98]
18:47:35.890 AVAST engine scan C:\WINDOWS
18:48:58.187 AVAST engine scan C:\WINDOWS\system32
19:24:55.078 AVAST engine scan C:\WINDOWS\system32\drivers
19:27:06.031 AVAST engine scan C:\Documents and Settings\DAD
19:33:11.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DAD\Desktop\MBR.dat"
19:33:11.125 The log file has been saved successfully to "C:\Documents and Settings\DAD\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-04-26 07:13:11
-----------------------------
07:13:11.424 OS Version: Windows 5.1.2600 Service Pack 3
07:13:11.424 Number of processors: 1 586 0x401
07:13:11.424 ComputerName: DJJXF091 UserName: DAD
07:13:15.017 Initialize success
07:13:59.220 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
07:13:59.220 Disk 0 Vendor: ST340014A 8.16 Size: 38146MB BusType: 3
07:13:59.220 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
07:13:59.220 Disk 1 Vendor: ST3250824A 3.AAE Size: 238475MB BusType: 3
07:13:59.424 Disk 0 MBR read successfully
07:13:59.424 Disk 0 MBR scan
07:13:59.424 Disk 0 unknown MBR code
07:13:59.424 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 31 MB offset 63
07:13:59.424 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 35032 MB offset 64260
07:13:59.455 Disk 0 Partition 3 00 DB CP/M / CTOS Dell 8.0 3074 MB offset 71810550
07:13:59.470 Disk 0 scanning sectors +78108030
07:13:59.720 Disk 0 scanning C:\WINDOWS\system32\drivers
07:14:33.970 Service scanning
07:15:40.845 Modules scanning
07:16:12.408 Disk 0 trace - called modules:
07:16:12.424 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
07:16:12.439 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x877831f0]
07:16:12.439 3 CLASSPNP.SYS[f7809fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x877a5d98]
07:16:12.439 Scan finished successfully
07:16:27.736 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DAD\Desktop\MBR.dat"
07:16:27.767 The log file has been saved successfully to "C:\Documents and Settings\DAD\Desktop\aswMBR.txt"

 



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 26 April 2013 - 08:32 PM

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

 

 

 

I don't see any remnants of malware so the above is just to make sure that none exists in the temp folder. Please also do the ESET scan below just to make sure we've got all the possible locations

 

I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 


Posted Image
m0le is a proud member of UNITE

#9 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 27 April 2013 - 09:01 AM

4 found

 

 

C:\Documents and Settings\Administrator.DJJXF091\Desktop\SmitfraudFix.exe multiple threats deleted - quarantined
C:\Documents and Settings\Administrator.DJJXF091\Desktop\SmitfraudFix\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator.DJJXF091\Desktop\SmitfraudFix\restart.exe Win32/Shutdown.NAA application cleaned by deleting - quarantined
E:\My Downloads\FoxitReader502.0718_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 28 April 2013 - 03:19 AM

Three of these are files for a specific malware fix tool. The last one is Ask which bundles other (often) unwanted software with it.

 

How is the machine running?


Posted Image
m0le is a proud member of UNITE

#11 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 28 April 2013 - 04:50 AM

seems to run just fine 



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 28 April 2013 - 07:38 PM

Then I think we can wrap this up.

 

You're clean. Good stuff! :thumbup2:

Let's do some clearing up

If you used DeFogger now is the time to enable your CD emulation software again.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
 

  • Download OTC by OldTimer and save it to your desktop.
  • Double click OTC_Icon.jpg icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big CleanUp.jpg button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.
------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean


Use and update your AntiVirus Software

You must have a good antivirus. There are plenty to choose from but I personally recommend the free options of Avast and Avira Antivir - though if you choose Avira you should make sure that you uncheck the box offering to install the Ask toolbar. If you want to purchase a security program then I recommend any of the following: AVG, Norton, McAfee, Kaspersky and ESET Nod32.

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

Use this next program to check for updates for programs already on your system. Download Security Check by screen317 from here

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically, make sure that updates on any that are flagged are carried out as soon as possible

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.


Finally, here's a treasure trove of antivirus, antimalware and antispyware resources


That's it, happy surfing!

Cheers.

m0le

 


Posted Image
m0le is a proud member of UNITE

#13 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 29 April 2013 - 02:46 AM

oki doki ..thank you much  :guitar:



#14 MusiCALpuLLtoy

MusiCALpuLLtoy
  • Topic Starter

  • Members
  • 100 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:AZ
  • Local time:02:15 PM

Posted 01 May 2013 - 06:59 PM

now my firewall wont update :clapping:



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:15 PM

Posted 01 May 2013 - 07:07 PM

It could have been damaged by the malware. Reinstall the firewall and test that theory


Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users