Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Spyware/Malware help

This is a discussion on Spyware/Malware help within the Resolved HJT Threads forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 01-01-2010, 09:46 AM   #1
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



HI, I am actually trying to help my father get his laptop back on track. This is his - Dell Inspiron 1525 with Windows Vista. When I open Internet Explorer I'm getting a message about how the page I'm trying to go to contains potentially damaging spyware. Then it gives a choice to continue anyway or to purchase the anti-spyware software they're selling. If you click on continue anyway then you are most likely redirectedto a different site. We do have a vista re-install CD.

Here's the scanned logs:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Thomas at 6:24:07.53 on Fri 01/01/2010
Internet Explorer: 8.0.6001.18865
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1035 [GMT -5:00]

AV: avast! antivirus 4.8.1229 [VPS 081226-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1229 [VPS 081226-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Dell V310-V510 Series\dleamon.exe
C:\Program Files\Dell V310-V510 Series\ezprint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell Video Chat\DellVideoChat.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\ntvdm.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\dleacoms.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Creative Live! Cam\VideoFX\StartFX.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Thomas\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.msn.com
uDefault_Page_URL = hxxp://www.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: SmartShopper: {2ba1c226-ec1b-4471-a65f-d0688ac6ee3a} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
BHO: {62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: &UpdateCheck.dll: {c213ed2a-7141-44cf-a0b1-1ae95a9a4ba6} - c:\windows\system32\UpdateCheck.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [SightSpeed] "c:\program files\dell video chat\DellVideoChat.exe" -bootmode
uRun: [AV] c:\program files\av\Antivir.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [dleamon.exe] "c:\program files\dell v310-v510 series\dleamon.exe"
mRun: [EzPrint] "c:\program files\dell v310-v510 series\ezprint.exe"
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
StartupFolder: c:\users\thomas\appdata\roaming\micros~1\windows\startm~1\programs\startup\eventr~1.lnk - c:\pmw\PMREMIND.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - {2260D608-C844-435d-90FD-DC16CFA577F2} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
IE: {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - {BCEB373D-A35A-4200-BD43-8586CD9DFAE7} - c:\program files\smartshopper\bin\2.5.0\SmrtShpr.dll
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-18 114768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-4-17 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-18 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2008-5-18 53328]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-18 138680]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-1 1153368]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-18 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-18 352920]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-4-17 111616]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dleaserv.exe [2009-12-25 98984]
S2 gupdate1c9cc07ff851247;Google Update Service (gupdate1c9cc07ff851247);c:\program files\google\update\GoogleUpdate.exe [2009-5-3 133104]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-4-17 30192]

=============== Created Last 30 ================

2010-01-01 07:22:26 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 07:22:26 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 04:09:54 0 d-----w- c:\windows\system32\vi-VN
2010-01-01 04:09:54 0 d-----w- c:\windows\system32\eu-ES
2010-01-01 04:09:54 0 d-----w- c:\windows\system32\ca-ES
2010-01-01 03:52:08 0 d-----w- c:\windows\system32\EventProviders
2009-12-30 15:18:33 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-30 14:26:13 0 d-----w- c:\program files\common files\Uninstall
2009-12-30 14:26:10 617472 ----a-w- c:\windows\system32\UpdateCheck.dll
2009-12-30 14:25:39 0 d-----w- c:\program files\AV
2009-12-25 14:20:38 0 d-----w- c:\programdata\Ezprint
2009-12-25 14:00:46 0 d-----w- c:\programdata\Dl_cats
2009-12-25 13:47:13 40960 ----a-w- c:\windows\system32\dleavs.dll
2009-12-25 13:47:10 425984 ----a-w- c:\windows\system32\dleacoin.dll
2009-12-25 13:47:01 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2009-12-25 13:47:01 81920 ----a-w- c:\windows\system32\dleagcfg.dll
2009-12-25 13:47:01 65106 ----a-w- c:\windows\system32\dleaprpr.chm
2009-12-25 13:47:00 110592 ----a-w- c:\windows\system32\dleacuir.dll
2009-12-25 13:46:59 8696 ----a-w- c:\windows\system32\dleacommuilogo_rtl.bmp
2009-12-25 13:46:59 8696 ----a-w- c:\windows\system32\dleacommuilogo.bmp
2009-12-25 13:46:59 294912 ----a-w- c:\windows\system32\dleacui.dll
2009-12-25 13:45:14 0 d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-12-25 13:44:41 372736 ----a-w- c:\windows\system32\DLEAwupd.dll
2009-12-25 13:44:41 213672 ----a-w- c:\windows\system32\DLEAwupd.exe
2009-12-25 13:43:51 0 d-----w- c:\program files\Dell Toolbar
2009-12-25 13:43:47 0 d-----w- c:\program files\Dell PC Fax
2009-12-25 13:43:46 0 d-----w- c:\program files\Dell Printable Web
2009-12-25 13:42:36 299008 ----a-w- c:\windows\system32\DLEAsm.dll
2009-12-25 13:42:36 28672 ----a-w- c:\windows\system32\DLEAsmr.dll
2009-12-25 13:42:36 0 d-----w- c:\program files\Dell V310-V510 Series
2009-12-11 12:49:21 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 12:49:18 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 12:49:16 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:46:28 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-03 08:02:12 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2

==================== Find3M ====================

2010-01-01 04:16:17 51200 ----a-w- c:\windows\inf\infpub.dat
2010-01-01 04:16:17 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-01-01 04:16:17 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-01 04:09:50 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-01 04:01:36 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2009-12-29 14:53:34 12962 ----a-w- c:\users\thomas\appdata\roaming\wklnhst.dat
2009-11-24 23:49:48 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-21 06:40:20 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34:39 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34:39 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-29 09:17:42 2048 ----a-w- c:\windows\system32\tzres.dll
2008-07-19 20:23:11 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-04-17 15:49:08 74 --sh--r- c:\windows\CT4CET.bin
2008-04-17 23:22:11 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 6:25:35.97 ===============
Attached Files
File Type: zip Attach.zip (2.3 KB, 4 views)

__________________
vinnie1543 is offline  
Old 01-02-2010, 08:18 PM   #2
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Please include the C:\ComboFix.txt in your next reply for further review.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-03-2010, 12:11 PM   #3
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Thanks for your time and help. I don't know if it makes any difference yet, but just navigating to this page I did still get the blocked message with the offer for the Antivir spyware remover. I also thought I had the Avast antivirus disabled, but it gave me a message before ComboFix ran that it was still active but everywhere I checked it was disabled so I had it scan anyway.Here's the ComboFix log.

ComboFix 10-01-02.04 - Thomas 01/03/2010 14:42:16.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1195 [GMT -5:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1229 [VPS 081226-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1229 [VPS 081226-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-12-03 to 2010-01-03 )))))))))))))))))))))))))))))))
.

2010-01-03 19:49 . 2010-01-03 19:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-03 19:49 . 2010-01-03 19:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 04:15 . 2010-01-03 11:35 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-03 04:13 . 2010-01-03 11:35 -------- d-----w- c:\programdata\Lavasoft
2010-01-02 04:41 . 2010-01-02 04:41 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-02 04:33 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-01-02 04:33 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-01-02 04:33 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-01-02 04:31 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-02 04:31 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-02 04:31 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-01 16:59 . 2008-03-06 07:58 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-01-01 07:22 . 2010-01-03 11:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 07:22 . 2010-01-03 11:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\ca-ES
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\eu-ES
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\vi-VN
2010-01-01 03:52 . 2010-01-01 03:52 -------- d-----w- c:\windows\system32\EventProviders
2009-12-30 15:18 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-30 14:26 . 2009-12-30 14:26 617472 ----a-w- c:\windows\system32\UpdateCheck.dll
2009-12-30 14:25 . 2009-12-30 14:26 -------- d-----w- c:\program files\AV
2009-12-25 14:20 . 2009-12-25 14:20 -------- d-----w- c:\programdata\Ezprint
2009-12-25 14:09 . 2009-12-25 14:09 -------- d-----w- c:\users\Thomas\AppData\Local\Apple Computer
2009-12-25 14:00 . 2009-12-31 02:42 -------- d-----w- c:\programdata\Dl_cats
2009-12-25 13:51 . 2009-06-19 08:58 157696 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\dleadrpp.dll
2009-12-25 13:47 . 2008-03-05 02:55 40960 ----a-w- c:\windows\system32\dleavs.dll
2009-12-25 13:47 . 2009-06-09 17:11 425984 ----a-w- c:\windows\system32\dleacoin.dll
2009-12-25 13:47 . 2009-05-22 06:44 81920 ----a-w- c:\windows\system32\dleagcfg.dll
2009-12-25 13:47 . 2008-04-30 06:32 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2009-12-25 13:47 . 2009-05-22 07:01 110592 ----a-w- c:\windows\system32\dleacuir.dll
2009-12-25 13:46 . 2009-05-22 07:01 294912 ----a-w- c:\windows\system32\dleacui.dll
2009-12-25 13:45 . 2009-12-25 13:45 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-12-25 13:44 . 2009-07-01 13:13 213672 ----a-w- c:\windows\system32\DLEAwupd.exe
2009-12-25 13:44 . 2009-04-23 13:37 372736 ----a-w- c:\windows\system32\DLEAwupd.dll
2009-12-25 13:42 . 2009-12-25 13:51 -------- d-----w- c:\program files\Dell V310-V510 Series
2009-12-25 13:42 . 2009-02-20 08:50 28672 ----a-w- c:\windows\system32\DLEAsmr.dll
2009-12-25 13:42 . 2009-02-20 08:49 299008 ----a-w- c:\windows\system32\DLEAsm.dll
2009-12-25 03:02 . 2009-12-25 03:02 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-11 12:49 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 12:49 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 12:49 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:46 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 22:32 . 2009-12-07 22:32 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1F06.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 19:38 . 2008-05-03 03:33 12962 ----a-w- c:\users\Thomas\AppData\Roaming\wklnhst.dat
2010-01-03 14:50 . 2009-05-03 15:56 -------- d-----w- c:\programdata\Google Updater
2010-01-03 00:01 . 2008-06-18 21:08 1356 ----a-w- c:\users\Thomas\AppData\Local\d3d9caps.dat
2010-01-02 23:54 . 2009-03-04 01:32 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-01-02 04:40 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-02 04:40 . 2010-01-02 04:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-01-02 04:40 . 2010-01-02 04:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-01 04:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-31 01:00 . 2009-03-04 01:29 -------- d-----w- c:\program files\Wyyo
2009-12-25 13:46 . 2008-04-17 15:47 -------- d-----w- c:\program files\Dell
2009-12-25 13:44 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell Toolbar
2009-12-25 13:43 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell PC Fax
2009-12-25 13:43 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell Printable Web
2009-12-19 18:41 . 2008-04-17 15:56 -------- d-----w- c:\program files\Google
2009-12-03 22:26 . 2009-12-03 22:26 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb4395.tmp.exe
2009-12-03 08:04 . 2008-04-17 16:06 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 08:02 . 2009-12-03 08:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-02 22:33 . 2009-12-02 01:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-24 23:54 . 2008-05-19 01:26 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-24 23:50 . 2008-05-19 01:26 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2008-05-19 01:26 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2008-05-19 01:26 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-24 23:49 . 2008-05-19 01:26 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2008-05-19 01:26 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2008-05-19 01:26 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-21 06:40 . 2009-12-09 22:47 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 22:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 22:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 22:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 03:38 . 2009-11-17 03:38 -------- d-----w- c:\program files\Speccy
2009-10-29 09:17 . 2009-11-25 08:02 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-17 15:49 . 2008-04-17 15:49 74 --sh--r- c:\windows\CT4CET.bin
2008-04-17 23:22 . 2008-04-17 23:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-03 15:19 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C213ED2A-7141-44CF-A0B1-1AE95A9A4BA6}]
2009-12-30 14:26 617472 ----a-w- c:\windows\System32\UpdateCheck.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-26 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dleamon.exe"="c:\program files\Dell V310-V510 Series\dleamon.exe" [2009-07-10 766632]
"EzPrint"="c:\program files\Dell V310-V510 Series\ezprint.exe" [2009-07-10 139944]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-24 255408]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-17 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8b,79,8e,38,99,8a,ca,01

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [5/18/2008 8:26 PM 114768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [4/17/2008 10:35 AM 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [5/18/2008 8:26 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [5/18/2008 8:26 PM 53328]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [4/17/2008 6:29 PM 111616]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\dleaserv.exe [12/25/2009 8:47 AM 98984]
S2 gupdate1c9cc07ff851247;Google Update Service (gupdate1c9cc07ff851247);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2009 10:58 AM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [6/25/2008 6:57 PM 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/17/2008 10:56 AM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 15:56]

2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:58]

2010-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 14:49
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-03 14:54:04
ComboFix-quarantined-files.txt 2010-01-03 19:54
ComboFix2.txt 2010-01-03 12:30

Pre-Run: 106,991,943,680 bytes free
Post-Run: 106,969,063,424 bytes free

- - End Of File - - 7A5A19E398240948A3FE41C5E690515E
__________________
vinnie1543 is offline  
Old 01-03-2010, 01:00 PM   #4
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable avast! right click, and Stop On Access Control.

Also temporarily disable Self Defense Protection mode on the Troubleshooting menu. (right click avast! icon > Program Settings > Troubleshooting)


  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/447158-spyware-malware-help.html#post2522396
    Folder::
    c:\program files\AV
    Collect::
    c:\windows\System32\UpdateCheck.dll

    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe
  3. ComboFix may request an update; please allow it.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    **Note**

    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    Please let me know if the file was successfully submitted . Thanks.

    ------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-03-2010, 07:13 PM   #5
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Okay, file was said to be successfully submitted so hopefully thats correct. Internet seems to be working better - no attempted blocks getting here. Here's the latest ComboFix log:

ComboFix 10-01-03.03 - Thomas 01/03/2010 21:01:36.3.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1143 [GMT -5:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
Command switches used :: c:\users\Thomas\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

file zipped: c:\windows\System32\UpdateCheck.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AV
c:\program files\AV\antivir.exe
c:\windows\System32\UpdateCheck.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-04 02:07 . 2010-01-04 02:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-04 02:07 . 2010-01-04 02:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 04:15 . 2010-01-03 11:35 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-03 04:13 . 2010-01-03 11:35 -------- d-----w- c:\programdata\Lavasoft
2010-01-02 04:41 . 2010-01-02 04:41 -------- d-----w- c:\program files\Windows Portable Devices
2010-01-02 04:33 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-01-02 04:33 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-01-02 04:33 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-01-02 04:31 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-01-02 04:31 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-01-02 04:31 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-01-01 16:59 . 2008-03-06 07:58 172032 ----a-w- c:\windows\system32\igfxres.dll
2010-01-01 07:22 . 2010-01-03 11:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-01 07:22 . 2010-01-03 11:54 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\ca-ES
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\eu-ES
2010-01-01 04:09 . 2010-01-01 04:10 -------- d-----w- c:\windows\system32\vi-VN
2010-01-01 03:52 . 2010-01-01 03:52 -------- d-----w- c:\windows\system32\EventProviders
2009-12-30 15:18 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-25 14:20 . 2009-12-25 14:20 -------- d-----w- c:\programdata\Ezprint
2009-12-25 14:09 . 2009-12-25 14:09 -------- d-----w- c:\users\Thomas\AppData\Local\Apple Computer
2009-12-25 14:00 . 2009-12-31 02:42 -------- d-----w- c:\programdata\Dl_cats
2009-12-25 13:51 . 2009-06-19 08:58 157696 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\dleadrpp.dll
2009-12-25 13:47 . 2008-03-05 02:55 40960 ----a-w- c:\windows\system32\dleavs.dll
2009-12-25 13:47 . 2009-06-09 17:11 425984 ----a-w- c:\windows\system32\dleacoin.dll
2009-12-25 13:47 . 2009-05-22 06:44 81920 ----a-w- c:\windows\system32\dleagcfg.dll
2009-12-25 13:47 . 2008-04-30 06:32 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2009-12-25 13:47 . 2009-05-22 07:01 110592 ----a-w- c:\windows\system32\dleacuir.dll
2009-12-25 13:46 . 2009-05-22 07:01 294912 ----a-w- c:\windows\system32\dleacui.dll
2009-12-25 13:45 . 2009-12-25 13:45 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-12-25 13:44 . 2009-07-01 13:13 213672 ----a-w- c:\windows\system32\DLEAwupd.exe
2009-12-25 13:44 . 2009-04-23 13:37 372736 ----a-w- c:\windows\system32\DLEAwupd.dll
2009-12-25 13:42 . 2009-12-25 13:51 -------- d-----w- c:\program files\Dell V310-V510 Series
2009-12-25 13:42 . 2009-02-20 08:50 28672 ----a-w- c:\windows\system32\DLEAsmr.dll
2009-12-25 13:42 . 2009-02-20 08:49 299008 ----a-w- c:\windows\system32\DLEAsm.dll
2009-12-25 03:02 . 2009-12-25 03:02 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-11 12:49 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-11 12:49 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-11 12:49 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 22:46 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-07 22:32 . 2009-12-07 22:32 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb1F06.tmp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-03 19:38 . 2008-05-03 03:33 12962 ----a-w- c:\users\Thomas\AppData\Roaming\wklnhst.dat
2010-01-03 14:50 . 2009-05-03 15:56 -------- d-----w- c:\programdata\Google Updater
2010-01-03 00:01 . 2008-06-18 21:08 1356 ----a-w- c:\users\Thomas\AppData\Local\d3d9caps.dat
2010-01-02 23:54 . 2009-03-04 01:32 -------- d-----w- c:\program files\Free Offers from Freeze.com
2010-01-02 04:40 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-01-02 04:40 . 2010-01-02 04:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2010-01-02 04:40 . 2010-01-02 04:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-01-01 04:10 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-01-01 04:10 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-12-31 01:00 . 2009-03-04 01:29 -------- d-----w- c:\program files\Wyyo
2009-12-25 13:46 . 2008-04-17 15:47 -------- d-----w- c:\program files\Dell
2009-12-25 13:44 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell Toolbar
2009-12-25 13:43 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell PC Fax
2009-12-25 13:43 . 2009-12-25 13:43 -------- d-----w- c:\program files\Dell Printable Web
2009-12-19 18:41 . 2008-04-17 15:56 -------- d-----w- c:\program files\Google
2009-12-03 22:26 . 2009-12-03 22:26 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb4395.tmp.exe
2009-12-03 08:04 . 2008-04-17 16:06 -------- d-----w- c:\program files\Microsoft Works
2009-12-03 08:02 . 2009-12-03 08:02 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-02 22:33 . 2009-12-02 01:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-21 06:40 . 2009-12-09 22:47 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-09 22:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-09 22:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-09 22:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-17 03:38 . 2009-11-17 03:38 -------- d-----w- c:\program files\Speccy
2009-10-29 09:17 . 2009-11-25 08:02 2048 ----a-w- c:\windows\system32\tzres.dll
2008-04-17 15:49 . 2008-04-17 15:49 74 --sh--r- c:\windows\CT4CET.bin
2008-04-17 23:22 . 2008-04-17 23:08 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-03 15:19 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-17 68856]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SightSpeed"="c:\program files\Dell Video Chat\DellVideoChat.exe" [2008-11-03 4823416]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-01-25 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-11-26 30192]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-11-01 189736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"dleamon.exe"="c:\program files\Dell V310-V510 Series\dleamon.exe" [2009-07-10 766632]
"EzPrint"="c:\program files\Dell V310-V510 Series\ezprint.exe" [2009-07-10 139944]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]

c:\users\Thomas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\pmw\PMREMIND.EXE [1997-10-24 255408]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-17 50688]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):8b,79,8e,38,99,8a,ca,01

R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [4/17/2008 10:35 AM 73728]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [4/17/2008 6:29 PM 111616]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\dleaserv.exe [12/25/2009 8:47 AM 98984]
S2 gupdate1c9cc07ff851247;Google Update Service (gupdate1c9cc07ff851247);c:\program files\Google\Update\GoogleUpdate.exe [5/3/2009 10:58 AM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [6/25/2008 6:57 PM 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/17/2008 10:56 AM 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-04-17 15:56]

2010-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:58]

2010-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-03 15:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

BHO-{C213ED2A-7141-44CF-A0B1-1AE95A9A4BA6} - c:\windows\System32\UpdateCheck.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-03 21:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-03 21:10:51
ComboFix-quarantined-files.txt 2010-01-04 02:10
ComboFix2.txt 2010-01-03 19:54
ComboFix3.txt 2010-01-03 12:30

Pre-Run: 107,380,408,320 bytes free
Post-Run: 107,347,046,400 bytes free

- - End Of File - - 6C75572AC3EE0A77D3205015DE82255F
Upload was successful
__________________
vinnie1543 is offline  
Old 01-03-2010, 07:30 PM   #6
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Good job, the file was uploaded. I'd like to collect the other file involved.
  • Please visit this site:


    http://www.bleepingcomputer.com/subm....php?channel=4

  • In the Link to topic where this file was requested: area, copy and paste this


    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/447158-spyware-malware-help.html#post2522967

  • In the Browse to the file you want to submit: area, copy and paste this


    C:\Qoobox\Quarantine\C\program files\AV\antivir.exe.vir

  • Then click Send File.
  • Once it shows:
    Quote:
    Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
  • Close the site and continue with the steps below.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 16 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, click on Uninstall a Program and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.


    Java(TM) SE Runtime Environment 6

  • Click the Uninstall button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-04-2010, 06:39 PM   #7
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Okay, everything still seems to be working great, the bleepingcomputer file should have been submitted successfully, the java was updated and here's the log from the Malwarebytes scan:


Malwarebytes' Anti-Malware 1.43
Database version: 3495
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

1/4/2010 9:27:13 PM
mbam-log-2010-01-04 (21-27-13).txt

Scan type: Quick Scan
Objects scanned: 97318
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 23
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\smartshopper.hbax (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.hbax.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebutton (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebutton.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebuttona (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebuttona.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebuttonb (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.iebuttonb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.smrtshprctl (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smartshopper.smrtshprctl.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{08aa0598-6a23-4364-9bf4-6d5f57f42993} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b0e8c398-dabe-4ce1-b4d9-ed43b64923f5} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c7f127df-8877-4e1e-a196-fbbecbc5bc6d} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{064c57b4-b9ec-425f-b9b3-bceffeea74d9} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0755e4f0-3f92-4a67-ad14-e9f287f76fbc} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2260d608-c844-435d-90fd-dc16cfa577f2} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bceb373d-a35a-4200-bd43-8586cd9dfae7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{2615f050-9c18-4267-b711-8e3687dc0145} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cb0d9d8c-535e-4352-ba8f-65c3c8676612} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wyyo (Adware.Zwangi) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SmartShopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Registry Defender Platinum (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\Registry Defender Platinum\backup (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\Wyyo (Adware.Zwangi) -> Quarantined and deleted successfully.
C:\ProgramData\Wyyo (Adware.Zwangi) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Registry Defender Platinum\report.csv (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\Registry Defender Platinum\backup\6_5_2008.reg (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\Wyyo\readme.html (Adware.Zwangi) -> Quarantined and deleted successfully.
C:\Program Files\Wyyo\uninstall.exe (Adware.Zwangi) -> Quarantined and deleted successfully.
__________________
vinnie1543 is offline  
Old 01-04-2010, 07:02 PM   #8
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Great. Thanks for uploading the file.

Please run this online scan to help look for remnants.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-06-2010, 02:06 PM   #9
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Dumb question but what do I do if I can't figure out how to disable Windows defender? I've tried everything I can find to uncheck in order to disable the Windows Defender program but when I go to run the ESET scan it shows that the Windows Defender is still running. Am I ok to scan anyway or am I missing something in disabling the Windows Defender?
__________________
vinnie1543 is offline  
Old 01-06-2010, 02:37 PM   #10
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Is Eset complaining about Windows Defender? I wasn't aware the online scans concerned thermselves with AntiSpyware applications.

Try this set of instructions...


Windows Defender disable

  • Launch Windows Defender, right click on the System Tray icon, select Open.
  • Click on Tools>Options.
  • Scroll down and uncheck "Use real-time protection (recommended)".
  • Scroll down further, and uncheck "Use Windows Defender"
  • After you uncheck these, click on the Save button, approve the UAC prompt, and close Windows Defender.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-06-2010, 05:22 PM   #11
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Yeah, apparently it really doesn't like Windows Defender. I did miss the one obvious box (Use Windows Defender) but ESET still picks it up. I thought I might need to reboot but that didn't change anything with ESET and yet if I try to open Windows Defender I get the message that it is currently off and I can click here to turn it on. Anything else I may have missed?
__________________
vinnie1543 is offline  
Old 01-06-2010, 05:35 PM   #12
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Let's use one of these other online scanners...

Perform an online scan with Panda ActiveScan
  • Click on Scan Your PC Now
  • A "pop up" window will appear, or a new tab will open.
  • Click on Register
  • Choose the option you like most, but we recommend the Free Registration.
  • Click on Register
  • Enter your e-mail address, and create a password.
  • Select "I do not want to receive any type of information". (unless you want to receive such information)
  • Click on Send
  • Confirm registration, and continue by entering your user name and password, then click on Enter
  • Select Full Scan, then Click on Scan Now
  • Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  • If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
  • Please ignore the offer to buy the program. Click on Export To
  • Export the log and save it to your desktop.
  • Please attach the contents of that log to your reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on Settings. Uncheck Mail databases.
  • Next, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-08-2010, 10:32 AM   #13
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Okay, everything appears to still be working well - no obvious signs of trouble. I did have to scan with Kaspersky a couple of times because the computer shut down Firefox for some reason before the first scan was completed. Here's the logs from the Active Scan and the Kaspersky scan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-01-07 22:20:20
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Windows Defender No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@tribalfusion[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@com[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@advertising[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@ads.pointroll[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\thomas\appdata\roaming\microsoft\windows\cookies\low\thomas@realmedia[1].txt
05846513 Generic Trojan Virus/Trojan No 0 Yes Yes c:\qoobox\quarantine\c\program files\av\antivir.exe.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\users\thomas\desktop\combofix.exe[32788r22fwjfw\pev.exe]
No c:\windows\pev.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, January 8, 2010
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, January 08, 2010 16:20:19
Records in database: 3318712
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 127158
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 01:14:51

No threats found. Scanned area is clean.

Selected area has been scanned.
__________________
vinnie1543 is offline  
Old 01-08-2010, 10:35 AM   #14
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Panda has found mostly cookies.

Cookies are nothing to be particularly worried about. They get installed on your computer everytime you visit any webpage. Now some of those are good cookies that get installed for ease of use for next time you visit the same page, but some cookies are spyware used for tracking users surfing habits.

Most of those cookies are third party cookies that can be blocked:

In Firefox go to Tools > Options > Privacy > Cookies

Click Exceptions, identify the site you want to block, and click on Block.

In IE go to Tools > Internet Options > Privacy and click on Advanced in the Privacy tab

Now put a check next to "Override automatic cookie handling"

Set first party cookies to Accept and third party cookies to Block

Also put a check to "Always allow session cookies" OK your way out.

This won't prevent all bad cookies from being installed, but will reduce the amount.

Also there is another program you can use.

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.

You can read more about cookies at the Cookie Concept

You can tidy up with this tool:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------


The other items Panda found are in ComboFix quarantine or part of ComboFix itself, and will be addressed by uninstalling ComboFix as instructed below.

Other than that....We should be done here. Some final housekeeping instructions, and protection information for you.

Your logs appear clean.You should be good to go. We still have a few items to address.


Disconnect from the internet and disable your AntiVirus temporarily.

Press the Windows key + R -> in the Run box which opens -> copy/paste in the following single line command & click OK

ComboFix /Uninstall



This will uninstall ComboFix. It will also implement some cleanup procedures.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.

Delete any remaining tools we've used (DDS and GMER) and logs from them.

Empty your Recycle Bin.

After malware removal, it's a good idea to flush out existing, possibly infected System Restore points, and set a new clean point with which to go forward.

Clear & Reset System Restore's Cache
  • Press the Windows key + R
  • Type or copy/paste control sysdm.cpl,,4 & press Enter
  • Click on Continue
  • Under Automatic Restore points
    • Uncheck (untick) all the boxes under Create restore points automatically on the selected disks section.
    • Click Turn System Restore Off.
    • Click Apply

    Turn System Restore back on now.

  • Check (tick) all the boxes under Create restore points automatically on the selected disks section.
  • Click OK.

============================================

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update -

    To update Windows, click on Start > Windows Update (or Start > All Programs > Windows Update if you are using the new Vista Start Menu). If the Windows Update is not found there, go to this link - http://update.microsoft.com/ .

    This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
Old 01-08-2010, 01:14 PM   #15
Registered Member
 
Join Date: Oct 2008
Posts: 19
OS: XP Home



Thank you so much for your help and time. I will finish up with the final instructions and hopefully only be back here in the future to read up on the excellent advice/maintenance tips in some of the posts. Thanks again.
__________________
vinnie1543 is offline  
Old 01-08-2010, 01:43 PM   #16
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
tetonbob's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 49,923
OS: XP Pro; XP Home; Win7 x86 & x64



Great, glad to hear it. I'm happy to have helped. We also hope our interactions with our members in this section of the forum are one-time events!

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of UNITE since 2006

tetonbob is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:24 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts