Computer Hope

Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: erincas on July 21, 2010, 10:00:19 PM

Title: malware/virus help
Post by: erincas on July 21, 2010, 10:00:19 PM

First off, thank you very much!

Whatever we have has been sending us to a different website from whatever link we are clicking on.  If we do a search for "dogs" and then attempt to click on one of the links in the search results, it brings us to a completely different page.  As I have been running the scans for logs as requested, there have also been random pop ups showing up.  We have also had a couple of blue screen errors within the past week. 
Hope that makes sense and I have included the correction information.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/21/2010 at 07:39 PM

Application Version : 4.40.1002

Core Rules Database Version : 5244
Trace Rules Database Version: 3056

Scan type       : Complete Scan
Total Scan Time : 02:14:45

Memory items scanned      : 541
Memory threats detected   : 0
Registry items scanned    : 7331
Registry threats detected : 0
File items scanned        : 131500
File threats detected     : 12

Adware.Tracking Cookie
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@imrworldwide[2].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@kontera[1].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@questionmarket[1].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@2o7[1].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@revsci[2].txt
   C:\Documents and Settings\Owner.Pooch\Cookies\owner@invitemedia[2].txt
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\N2C826NG ]

Adware.Vundo Variant/Rel
   C:\MY BACKUP -- 07-11-25 1232PM\WINDOWS\SYSTEM32\CCBEG.INI
   C:\MY BACKUP -- 07-11-25 1232PM\WINDOWS\SYSTEM32\CCBEG.INI2

Unclassified.Unknown Origin/System
   C:\MY BACKUP -- 07-11-25 1232PM\WINDOWS\UNINST2.HTM

Trojan.Unknown Origin
   C:\MY BACKUP -- 07-11-25 1232PM\WINDOWS\UNIST1.HTM


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4337

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/21/2010 8:18:57 PM
mbam-log-2010-07-21 (20-18-57).txt

Scan type: Quick scan
Objects scanned: 144583
Time elapsed: 21 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)



Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:43:09 PM, on 7/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6445
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727)" -"http://www.forbes.com/static_html/2009/02/Magnolias.html?cache=0"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238532798390
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10664 bytes

Title: Re: malware/virus help
Post by: erincas on July 22, 2010, 09:02:43 AM

After speaking with my husband, I believe this is from Facebook, one of the "I bet you can't watch this for 30 seconds without laughing" or similar.
Thanks.

Title: Re: malware/virus help
Post by: Crush on July 22, 2010, 11:48:49 AM

Hello, and welcome to Computer Hope Forums!

I'm Crush but, you can call me Chris too :) and I will be helping you with your Malware issues

Please note the following information about the malware forum:

• Only members of the Malware Removal Specialist user group are allowed to give advice on removing malware from your computer. Do not follow the advice of anyone without that user title.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, do this:

Reply to this topic with the word BUMP.

• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Now that we have that out of the way:

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in

Code: [Select]

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys
/md5stop
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit>Select All, Edit>Copy) the contents of these files, one at a time
    

Title: Re: malware/virus help
Post by: erincas on July 22, 2010, 12:54:56 PM

Chris, I already screwed up LOL.  You are dealing with an amateur.  I ran the scan without copying and pasting, then realized what I did, so I closed out the files and when I run the quick scan after copying and pasting, only the OTL.txt pops up.  But, I am going to paste what I have on the extras.txt, but it's not from the custom scan.  Let me know what steps I need to do to get an extras.txt from the custom scan if necessary.  So sorry!

Title: Re: malware/virus help
Post by: erincas on July 22, 2010, 01:01:49 PM

Files were too big to copy and paste.  Hope I did the file dropper right. 
Thanks, Chris!



http://www.filedropper.com/extras
<img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/> (http://www.filedropper.com/extras)
<div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >File Hosting Online Storage Backup[/url]</div>

http://www.filedropper.com/otl
<img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/> (http://www.filedropper.com/otl)
<div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com >File Hosting Online Storage Backup[/url]</div>

Title: Re: malware/virus help
Post by: Crush on July 24, 2010, 11:56:20 PM

Hi,

Sorry for the delay. That link is not working for me. Can you attach them here?

Title: Re: malware/virus help
Post by: erincas on July 25, 2010, 07:26:34 AM

Thanks!

[recovering disk space - old attachment deleted by admin]

Title: Re: malware/virus help
Post by: Crush on July 25, 2010, 01:42:36 PM

Hi,

I don't see anything in the OTL other than evidence of Smitfraudfix. This is a powerful tool that should only be run under the guidance of a qualified helper. Have you run it?

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log in your reply

Title: Re: malware/virus help
Post by: erincas on July 25, 2010, 05:34:32 PM

No, I have not used the Smith Fraud Fix.  It was something I downloaded last time we had a problem and then realized it was something that was going to take expert interpretation.  Should I remove it? 
Malewarebytes says nothing was detected and did not request a restart. 

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4347

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/25/2010 4:32:48 PM
mbam-log-2010-07-25 (16-32-48).txt

Scan type: Quick scan
Objects scanned: 151103
Time elapsed: 17 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: malware/virus help
Post by: Crush on July 25, 2010, 10:44:57 PM

Quote

No, I have not used the Smith Fraud Fix.  It was something I downloaded last time we had a problem and then realized it was something that was going to take expert interpretation.  Should I remove it? 

Yes, please do.

    Please download ComboFix (http://img7.imageshack.us/img7/4930/combofix.gif) from BleepingComputer.com (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

    Alternate link: GeeksToGo.com (http://subs.geekstogo.com/ComboFix.exe)

    Rename ComboFix.exe to commy.exe before you save it to your Desktop
   

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here (http://www.bleepingcomputer.com/forums/topic114351.html)
     
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
     
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

(http://img.photobucket.com/albums/v666/sUBs/Query_RC.gif)
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    (http://img.photobucket.com/albums/v666/sUBs/RC_successful.gif)

   

• Click on Yes, to continue scanning for malware.
• When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.
     

Title: Re: malware/virus help
Post by: erincas on July 26, 2010, 09:09:24 AM

ComboFix 10-07-24.06 - Owner 07/26/2010   7:52.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.958.524 [GMT -7:00]
Running from: c:\documents and settings\Owner.Pooch\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tmp.reg
D:\Autorun.inf

c:\windows\system32\eventtriggers.exe . . . is infected!!

Infected copy of c:\windows\system32\netdde.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netdde.exe

Infected copy of c:\windows\system32\sessmgr.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\sessmgr.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


(((((((((((((((((((((((((   Files Created from 2010-06-26 to 2010-07-26  )))))))))))))))))))))))))))))))
.

2010-07-24 06:12 . 2010-07-24 06:12   --------   d-----w-   c:\documents and settings\LocalService\Application Data\AdobeUM
2010-07-24 06:09 . 2010-07-24 06:10   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-22 21:25 . 2010-07-24 18:23   --------   d-----w-   c:\documents and settings\Owner.Pooch\Application Data\Bitrix Security
2010-07-22 21:25 . 2010-07-22 21:25   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security
2010-07-22 07:03 . 2010-07-24 07:55   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-22 03:28 . 2010-07-22 03:28   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-21 19:34 . 2010-07-21 19:34   --------   d-----w-   c:\program files\CCleaner
2010-07-21 19:17 . 2009-04-06 18:37   704384   ----a-w-   c:\windows\system32\drivers\SandBox.sys
2010-07-21 19:17 . 2009-02-10 23:15   257432   ----a-w-   c:\windows\system32\drivers\afwcore.sys
2010-07-21 19:15 . 2009-02-19 00:30   31128   ----a-w-   c:\windows\system32\drivers\afw.sys
2010-07-21 19:14 . 2010-07-21 19:14   --------   d-----w-   c:\program files\Agnitum
2010-07-21 19:13 . 2010-07-21 19:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Agnitum
2010-07-21 15:39 . 2010-07-21 15:39   --------   d-----w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com
2010-07-21 15:39 . 2010-07-21 15:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-21 15:38 . 2010-07-24 18:26   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-21 06:20 . 2010-07-21 06:20   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-21 04:48 . 2010-07-21 04:48   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 20:22 . 2010-07-20 20:30   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-07-20 17:46 . 2010-07-20 17:46   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-20 17:46 . 2010-07-20 17:46   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-07-20 09:26 . 2010-07-20 09:26   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-07-19 18:24 . 2010-07-19 18:24   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-07-19 15:32 . 2010-07-19 15:34   --------   dc-h--w-   c:\windows\ie8
2010-07-14 04:11 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 23:11 . 2009-07-25 03:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-22 21:25 . 2010-07-22 21:25   51712   ----a-w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll
2010-07-22 03:47 . 2008-12-10 03:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-22 03:40 . 2010-07-22 03:40   388096   ----a-r-   c:\documents and settings\Owner.Pooch\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 03:33 . 2007-11-25 21:05   --------   d-----w-   c:\program files\Java
2010-07-22 03:30 . 2007-11-25 21:05   --------   d-----w-   c:\program files\Common Files\Java
2010-07-22 03:30 . 2010-07-22 03:30   503808   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcp71.dll
2010-07-22 03:30 . 2010-07-22 03:30   499712   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\jmc.dll
2010-07-22 03:30 . 2010-07-22 03:30   348160   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcr71.dll
2010-07-22 03:30 . 2010-07-22 03:30   12800   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-d3d.dll
2010-07-22 03:30 . 2010-07-22 03:30   61440   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-sse.dll
2010-07-22 00:22 . 2010-07-21 15:40   63488   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-22 00:22 . 2010-07-21 15:40   117760   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-21 19:22 . 2007-11-25 21:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-21 15:40 . 2010-07-21 15:40   52224   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-13 01:00 . 2010-07-21 04:48   177886   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-24 17:27 . 2010-06-24 17:27   --------   d-----w-   c:\program files\Trend Micro
2010-06-14 14:31 . 2007-11-25 19:12   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 10:18 . 2010-02-15 19:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 20:59 . 2008-12-17 08:51   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2008-12-17 08:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-12-17 08:52   164048   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2008-12-17 08:52   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2008-12-17 08:52   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2008-12-17 08:52   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-12-17 08:52   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2008-12-17 08:52   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2007-11-25 19:17   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2007-11-25 19:17   1851264   ----a-w-   c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-07-25 03:30   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-07-25 03:30   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-29 15:33 . 2010-04-29 15:33   73000   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-24 2403568]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-15 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-15 428032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\documents and settings\Owner.Pooch\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2008 1:52 AM 164048]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [7/21/2010 12:17 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [7/21/2010 12:14 PM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2008 1:52 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [7/21/2010 12:15 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [7/21/2010 12:17 PM 257432]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [11/25/2007 12:41 PM 200576]
S3 AMBAWEBCAM;Sony Webcam;c:\windows\system32\drivers\AmbaWebcam.sys [8/7/2009 10:46 AM 33024]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/25/2007 12:37 PM 69692]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{760B8973-48F7-40B2-B360-F7ABD8785E50}]
2010-07-22 21:25   51712   ----a-w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32   128512   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2007-11-25 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2007-11-25 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 08:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1288)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\WLTRAY.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-07-26  08:13:39 - machine was rebooted
ComboFix-quarantined-files.txt  2010-07-26 15:13

Pre-Run: 64,559,091,712 bytes free
Post-Run: 64,853,934,080 bytes free

- - End Of File - - D6DEC917EA9EAD62E89BB780F792898A

Title: Re: malware/virus help
Post by: Crush on July 26, 2010, 11:26:11 AM

Hi,

It seems you have a new infection that is just starting to rear its ugly head.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
*eventtriggers*


• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Title: Re: malware/virus help
Post by: erincas on July 26, 2010, 12:59:28 PM

Oh no, just when I thought it was running better LOL





SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:02 on 26/07/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*eventtriggers*"
C:\My Backup -- 07-11-25 1232PM\WINDOWS\system32\eventtriggers.exe   --a--- 77824 bytes   [07:12 23/11/2005]   [19:00 10/08/2004] 8262E29A46F8F5D8068C6F0B2F1D5C11
C:\WINDOWS\$NtServicePackUninstall$\eventtriggers.exe   -----c 77824 bytes   [21:28 03/10/2008]   [19:00 10/08/2004] 8262E29A46F8F5D8068C6F0B2F1D5C11
C:\WINDOWS\system32\eventtriggers.exe   --a--- 82944 bytes   [19:11 25/11/2007]   [00:12 14/04/2008] AD3001DA8D2D681373C99F235E95FB22

-=End Of File=-

Title: Re: malware/virus help
Post by: Crush on July 26, 2010, 10:58:27 PM

Re-running ComboFix to remove infections:


• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  
  Quote

  FCopy::
  C:\WINDOWS\$NtServicePackUninstall$\eventtriggers.exe | C:\WINDOWS\system32\eventtriggers.exe
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  (http://img19.imageshack.us/img19/5660/cfscriptb4.gif)
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

Title: Re: malware/virus help
Post by: erincas on July 28, 2010, 08:46:39 PM

ComboFix 10-07-24.06 - Owner 07/28/2010  19:38:55.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.958.487 [GMT -7:00]
Running from: c:\documents and settings\Owner.Pooch\Desktop\commy.exe
Command switches used :: c:\documents and settings\Owner.Pooch\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventtriggers.exe --> c:\windows\system32\eventtriggers.exe
.
(((((((((((((((((((((((((   Files Created from 2010-06-28 to 2010-07-29  )))))))))))))))))))))))))))))))
.

2010-07-29 02:39 . 2010-07-29 02:39   --------   d-----w-   c:\windows\LastGood
2010-07-24 06:12 . 2010-07-24 06:12   --------   d-----w-   c:\documents and settings\LocalService\Application Data\AdobeUM
2010-07-24 06:09 . 2010-07-24 06:10   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-22 21:25 . 2010-07-24 18:23   --------   d-----w-   c:\documents and settings\Owner.Pooch\Application Data\Bitrix Security
2010-07-22 21:25 . 2010-07-22 21:25   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security
2010-07-22 21:25 . 2010-07-22 21:25   51712   ----a-w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll
2010-07-22 07:03 . 2010-07-24 07:55   664   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-07-22 03:40 . 2010-07-22 03:40   388096   ----a-r-   c:\documents and settings\Owner.Pooch\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-07-22 03:30 . 2010-07-22 03:30   503808   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcp71.dll
2010-07-22 03:30 . 2010-07-22 03:30   499712   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\jmc.dll
2010-07-22 03:30 . 2010-07-22 03:30   348160   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-413f9ec8-n\msvcr71.dll
2010-07-22 03:30 . 2010-07-22 03:30   12800   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-d3d.dll
2010-07-22 03:30 . 2010-07-22 03:30   61440   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-40924d4f-n\decora-sse.dll
2010-07-22 03:28 . 2010-07-22 03:28   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-21 19:34 . 2010-07-21 19:34   --------   d-----w-   c:\program files\CCleaner
2010-07-21 19:17 . 2009-04-06 18:37   704384   ----a-w-   c:\windows\system32\drivers\SandBox.sys
2010-07-21 19:17 . 2009-02-10 23:15   257432   ----a-w-   c:\windows\system32\drivers\afwcore.sys
2010-07-21 19:15 . 2009-02-19 00:30   31128   ----a-w-   c:\windows\system32\drivers\afw.sys
2010-07-21 19:14 . 2010-07-21 19:14   --------   d-----w-   c:\program files\Agnitum
2010-07-21 19:13 . 2010-07-21 19:13   --------   d-----w-   c:\documents and settings\All Users\Application Data\Agnitum
2010-07-21 15:40 . 2010-07-22 00:22   63488   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-21 15:40 . 2010-07-21 15:40   52224   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-21 15:40 . 2010-07-22 00:22   117760   ----a-w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-21 15:39 . 2010-07-21 15:39   --------   d-----w-   c:\documents and settings\Owner.Pooch\Application Data\SUPERAntiSpyware.com
2010-07-21 15:39 . 2010-07-21 15:39   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-21 15:38 . 2010-07-24 18:26   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-07-21 06:20 . 2010-07-21 06:20   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Identities
2010-07-21 04:48 . 2010-07-21 04:48   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-20 20:22 . 2010-07-20 20:30   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-07-20 17:46 . 2010-07-20 17:46   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-20 17:46 . 2010-07-20 17:46   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-07-20 09:26 . 2010-07-20 09:26   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-07-19 18:24 . 2010-07-19 18:24   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-07-19 15:32 . 2010-07-19 15:34   --------   dc-h--w-   c:\windows\ie8
2010-07-14 04:11 . 2010-06-14 14:31   744448   -c----w-   c:\windows\system32\dllcache\helpsvc.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-25 23:11 . 2009-07-25 03:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-22 03:47 . 2008-12-10 03:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-22 03:33 . 2007-11-25 21:05   --------   d-----w-   c:\program files\Java
2010-07-22 03:30 . 2007-11-25 21:05   --------   d-----w-   c:\program files\Common Files\Java
2010-07-21 19:22 . 2007-11-25 21:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-07-13 01:00 . 2010-07-21 04:48   177886   ----a-w-   c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-24 17:27 . 2010-06-24 17:27   --------   d-----w-   c:\program files\Trend Micro
2010-06-14 14:31 . 2007-11-25 19:12   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-10 10:18 . 2010-02-15 19:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-06 20:59 . 2008-12-17 08:51   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2008-12-17 08:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2008-12-17 08:52   164048   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2008-12-17 08:52   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2008-12-17 08:52   100432   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2008-12-17 08:52   94800   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2008-12-17 08:52   19024   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2008-12-17 08:52   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-05-06 10:41 . 2007-11-25 19:17   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2007-11-25 19:17   1851264   ----a-w-   c:\windows\system32\win32k.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-24 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-11-25 169984]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-15 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-15 428032]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\documents and settings\Owner.Pooch\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/17/2008 1:52 AM 164048]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [7/21/2010 12:17 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [7/21/2010 12:14 PM 1195008]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2008 1:52 AM 19024]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [7/21/2010 12:15 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [7/21/2010 12:17 PM 257432]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [11/25/2007 12:41 PM 200576]
S3 AMBAWEBCAM;Sony Webcam;c:\windows\system32\drivers\AmbaWebcam.sys [8/7/2009 10:46 AM 33024]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/25/2007 12:37 PM 69692]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{760B8973-48F7-40B2-B360-F7ABD8785E50}]
2010-07-22 21:25   51712   ----a-w-   c:\documents and settings\NetworkService\Application Data\Bitrix Security\depto.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32   128512   ----a-w-   c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2007-11-25 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2007-11-25 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1292)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(868)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-07-28  19:52:14
ComboFix-quarantined-files.txt  2010-07-29 02:52
ComboFix2.txt  2010-07-26 15:13

Pre-Run: 64,600,346,624 bytes free
Post-Run: 64,603,074,560 bytes free

- - End Of File - - 855CC4BD233238EE664C166948AB3EF9

Title: Re: malware/virus help
Post by: Crush on July 29, 2010, 12:03:44 AM

How are things running now? :)

Title: Re: malware/virus help
Post by: erincas on July 29, 2010, 08:15:16 AM

So far, so good  :)

Title: Re: malware/virus help
Post by: Crush on July 29, 2010, 11:06:41 AM

Ok. Let's do one more scan

Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic