Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

Random Audio Advertisements/Diverts internet searches/Unable to run Spybot/Gmer

This is a discussion on Random Audio Advertisements/Diverts internet searches/Unable to run Spybot/Gmer within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. OS: Windows XP Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3 Hi, I'm sorry, but I had to repost my original message posted


Reply
 
Thread Tools Search this Thread
Old 10-03-2009, 01:10 PM   #1
Registered Member
 
Join Date: Sep 2009
Posts: 10
OS: Windows XP (Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3


Exclamation

OS: Windows XP Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3

Hi,

I'm sorry, but I had to repost my original message posted on September 22, 2009 with the title "Mysterious Audio Advertisements/Internet reroute/Unable to run Spybot/gmer".

I didn't read the end of the "how to" carefully and realized that after placing the second "bump please" it probably looked like it was being worked on. Sorry for the inconvenience.

So here's what I have going on:

I bought my laptop a few months ago from someone on craigslist. After I took it home I started to notice some weird things.

A. Every once in a while this random audio advertisement will start playing, even though there are no programs running or internet browsers up. One time it played while I was browsing and I closed the window and it continued. The other time I was just playing with the Admin settings trying to see what I could mess around with to see if I could track the virus I suspected. That second time it just made some weird noises w/o the advertisement. Pretty eerie.

*Note: I haven't been able to prove this, but I think it tends to happen only when it's connected to the internet.

B. I noticed that after the first few attempts to browse the internet I would begin to get redirected to other sites. Particularly when trying to reach antimalware/spayware sites.

One sends me to "bestcompanysearch.com/click/go.php?u="... and a long code after that, and I can't remember the other site. It would also redirect me when trying to download antiviruses and antispam type places.

C. It will not run some downloaded programs. I first noticed the problem when I tried to download Chrome. It downloaded, but would not run. I think it also happened with one other antivirus. I also downloaded Spybot and it made it to my computer after a few tries but once it was downloaded, I could not run it.

---speaking of browsers, I tried to uninstall IE and in the processes a iexplore.exe keeps popping up after the uninstall.

***Prior to this I had one of the IT guys from my work help me download CLAMwin virus scanner. It did find one virus: C:\\WINDOWS\kernel32lib.dll: Trojan:Downloader-75304 FOUND and it was then moved to quarantine after which I disposed of it in the recycle bin and emptied it.

Tried to run the gmer app and was unsuccessful.

D. I know the kid who had this before me used Limewire, which I tried to uninstall semi successfully.

E. If I try to mess around too much with the computer it will freeze up and I have to turn it off and restart.

This is all I can think of off the top of my head. I haven't used this laptop much since I got it because I have a mac and well because I didn't want to bother with all the problems. If I weren't in a camp in Algeria with no access to the outside world for a period of time I'd try to find a way to wipe the drive clean and start over (problem is I don't have the windows cd) since there's nothing saved on this laptop that I need.

Anyway, this is what's going on, any help would be really appreciated. You guys are my only hope out here and I really appreciate your help. Thanks!

BTW: I did the dds scan while in safe mode. Don't know if that makes a difference.

Oh and also, I can't get rid of this sean rangel name on the computer. Don't know if that's because of the virus.







DDS (Ver_09-07-30.01) - NTFSx86 MINIMAL
Run by Vito at 22:03:36.40 on Tue 09/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.800 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Vito.SEAN-166B27A403\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.canfind.org/search/ac.php?aid=90&sid=v5
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IDTSysTrayApp] sttray.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ClamWin] "c:\program files\clamwin\bin\ClamTray.exe" --logon
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vito~1.sea\applic~1\mozilla\firefox\profiles\eqlakuju.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-15 226656]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-4-10 112128]

=============== Created Last 30 ================

2009-09-21 19:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-21 19:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-18 23:41 5 a------- c:\windows\system32\Band4
2009-09-18 23:41 7 a------- c:\windows\system32\Class11
2009-09-05 21:54 <DIR> --d----- c:\docume~1\vito~1.sea\applic~1\.clamwin
2009-09-05 21:53 <DIR> --d----- c:\program files\ClamWin
2009-09-05 21:53 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-09-05 20:19 <DIR> --dsh--- c:\documents and settings\vito.sean-166b27a403\IECompatCache
2009-09-05 20:17 <DIR> --dsh--- c:\documents and settings\vito.sean-166b27a403\PrivacIE
2009-09-05 20:17 <DIR> --d----- c:\docume~1\vito~1.sea\applic~1\alot
2009-09-05 20:17 <DIR> --dsh--- c:\documents and settings\vito.sean-166b27a403\IETldCache
2009-09-05 20:16 <DIR> --d----- c:\documents and settings\Vito.SEAN-166B27A403

==================== Find3M ====================

2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-25 13:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 20:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 17:12 17,408 a------- c:\windows\system32\corpol.dll

============= FINISH: 22:05:25.48 ===============
Attached Files
File Type: zip Attach.zip (2.5 KB, 5 views)

__________________
VAF84 is offline   Reply With Quote
Old 10-06-2009, 01:07 PM   #2
Registered Member
 
Join Date: Sep 2009
Posts: 10
OS: Windows XP (Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3



Bump, Please.

__________________
VAF84 is offline   Reply With Quote
Old 10-06-2009, 09:31 PM   #3
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,389
OS: WinXP Home, Vista, Windows 7 64bit



Hello VAF84,

What happens when you try to run gmer? Does it simply not respond, or are you seeing an error message?

Delete your existing gmer.exe and download it again from here.

Try again to run the scan as outlined in our pre-posting topic:
  • An initial scan will automatically begin.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries



Please attach the ark.txt in your next reply
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 10-06-2009, 10:41 PM   #4
Registered Member
 
Join Date: Sep 2009
Posts: 10
OS: Windows XP (Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3



Ried,

When I ran it initially nothing happened. Pretty much the same as would happen when I tried to click on Spybot and any other program I would try and download. I would double click and nothing.

This time it ran the program with the new link, no problem.

I've attached the file.
Attached Files
File Type: txt ark.txt (2.7 KB, 2 views)
__________________
VAF84 is offline   Reply With Quote
Old 10-06-2009, 10:44 PM   #5
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,389
OS: WinXP Home, Vista, Windows 7 64bit



Good, now we can get started.

Download ComboFix from one of these locations, but rename it to vaf84.exe before saving it to your desktop.

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Old 10-07-2009, 01:18 AM   #6
Registered Member
 
Join Date: Sep 2009
Posts: 10
OS: Windows XP (Build 2600.xpsp_sp3_gdr.090206-1234: Service Pack 3


Grin

Ok, here's exactly what I did.

At work I downloaded the combo fix and saved it to a flash disk. I changed the name to vaf84.exe . I took my hp home so I would have access to the internet there plugged in the flash drive dragged the .exe file to the desktop and double clicked. I got 2 error boxes saying "Some files could not be created. Please close all applicatoins, reboot windows and restart this installation. Which I did.

After restarting I double clicked combo fix again after closing my antivirus stuff ... I got a little time bar, then the disclaimer about not purchasing the software from certain websites. Clicked yes... a few seconds later to blue boxes pop up...

One says:
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
along with a message, didn't get to type it up.

My computer failed to download the required files for the windows console and it aborted trying. It continued to scan.

It then told me I had to reboot and write down the following names:

C:/WINDOWS/system32/Drivers/UACoweycpntxvdyvjb.sys
C:/WINDOWS/system32/UACnreecxnsrteolwb.dll
C:/WINDOWS/system32/UACxxnqqhcpxmwvqxo.dat
C:/WINDOWS/system32/UACbxhoeppfifjkswk.dll
C:/WINDOWS/system32/UAClrmtxumfukwmrxr.dll
C:/WINDOWS/system32/UACdakmpbpaswuwkp.dll
C:/WINDOWS/system32/UACpuehwmkansvdppx.dll
C:/WINDOWS/system32/UACnlkkfkpbplkrdmh.log
C:/WINDOWS/system32/UACdxyreirimytcwmp.log
C:/WINDOWS/system32/UACstyxmvewrpbbnjo.log

It then said ComboFix is preparing to run.

Windows Recovery Console window popped up again, and I again tried to say yes to install it.

Blue box says it's scanning

Completed Stage_1
Completed Stage_2
Completed Stage_3
Completed Stage_4
Completed Stage_5
Completed Stage_6
Completed Stage_6A
Completed Stage_7
Completed Stage_8
Completed Stage_9
Completed Stage_10
Completed Stage_11-19,19b, 20-32a, 33-50

Deleting Files:
Shows list (didn't get to write them down)

Find3M
Preparing Log Report.

ComboFix's log shall be located at C:\COMBOFIX.TXT

Success... LOL, I guess I didn't have to write all of that down, but I thought just in case something goes wrong... I've attached the file.

Hopefully this has fixed it! I'll wait for your reply to see if all is good :)

ComboFix 09-10-06.03 - Vito 10/07/2009 9:04.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.769 [GMT 1:00]
Running from: c:\documents and settings\Vito.SEAN-166B27A403\Desktop\vaf84.exe.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Vito.SEAN-166B27A403\Application Data\alot
c:\recycler\S-1-5-21-1645522239-796845957-299502267-1004
c:\windows\Installer\209440.msi
c:\windows\system32\drivers\UACoweycpntxvdyvjb.sys
c:\windows\system32\oem13.inf
c:\windows\system32\UACbxhoeppfifjkswk.dll
c:\windows\system32\UACdakmpbpaswuwrkp.dll
c:\windows\system32\UACdxyreirimytcwmp.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClrmtxumfukwmrxr.dll
c:\windows\system32\UACnlkkfkpbplkrdmh.log
c:\windows\system32\UACnreecxnsrteolwb.dll
c:\windows\system32\UACpuehwmkansvdppx.dll
c:\windows\system32\UACstyxmvewrpbbnjo.log
c:\windows\system32\UACxxnqqhcpxmwvqxo.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-09-21 18:51 . 2009-09-22 20:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-21 18:51 . 2009-09-22 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 22:00 . 2009-09-05 21:24 -------- d-----w- c:\documents and settings\Vito.SEAN-166B27A403\Application Data\Skype
2009-09-06 17:10 . 2009-04-10 23:14 -------- d-----w- c:\program files\Google
2009-09-06 16:59 . 2009-09-05 21:25 -------- d-----w- c:\documents and settings\Vito.SEAN-166B27A403\Application Data\skypePM
2009-09-05 21:13 . 2009-09-05 21:13 -------- d-----w- c:\documents and settings\Vito.SEAN-166B27A403\Application Data\Apple Computer
2009-09-05 21:12 . 2009-09-05 21:12 34616 ----a-w- c:\documents and settings\Vito.SEAN-166B27A403\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-05 20:55 . 2009-09-05 20:54 -------- d-----w- c:\documents and settings\Vito.SEAN-166B27A403\Application Data\.clamwin
2009-09-05 20:53 . 2009-09-05 20:53 -------- d-----w- c:\program files\ClamWin
2009-08-18 01:01 . 2009-08-18 01:01 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-08-18 00:37 . 2009-08-18 00:35 -------- d-----r- c:\program files\Skype
2009-08-18 00:35 . 2009-08-18 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-18 00:33 . 2009-08-18 00:33 0 ----a-w- c:\windows\nsreg.dat
2009-08-16 16:32 . 2009-04-10 23:05 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 12:23 . 2009-04-10 23:06 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 19:21 . 2008-04-14 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-08-30 442477]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-08-28 471040]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-31 1343488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-06-11 86016]
"IDTSysTrayApp"="sttray.exe" - c:\windows\STTRAY.EXE [2008-08-30 442477]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [4/10/2009 11:02 PM 112128]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.canfind.org/search/ac.php?aid=90&sid=v5
FF - ProfilePath - c:\documents and settings\Vito.SEAN-166B27A403\Application Data\Mozilla\Firefox\Profiles\eqlakuju.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-AIM_6 - c:\program files\AIM6\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 09:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-10-07 9:13
ComboFix-quarantined-files.txt 2009-10-07 08:12

Pre-Run: 10,545,676,288 bytes free
Post-Run: 10,576,617,472 bytes free

111 --- E O F --- 2009-10-02 20:47
Attached Files
File Type: txt ComboFix.txt (6.7 KB, 2 views)
__________________
VAF84 is offline   Reply With Quote
Old 10-07-2009, 05:46 AM   #7
Administrator
Management Team, Security Center & TSF Academy
Expert Analyst, Moderator, Security Team
Rangemaster, Moderator, TSF Academy
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,389
OS: WinXP Home, Vista, Windows 7 64bit



This looks a lot better. Even though we likely don't need the Recovery Console at this time, infections these days tend to patch a lot of critical system files which often result in multiple problems, one of which can be an unbootable machine. Having Window's Recovery Console installed on your machine in advance can save a lot of heartache in the future.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'NO' .
  • When the tool is finished, it will produce a report for you.

===============================

What we need to do now is run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 03:56 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts