[Dell4600]

Hey guys havnt been on here for a while, some new faces i seeray:.

well im having problems with my dell "inspiron 9100"

when i click on internet explorer , There is spyware, malware ads, and trojans, warnings etc etc.

thanks in advance guys,girls.

Ah posted this in the wrong forum, im such a noob. If a Mod can move this , thanks!

 

[amateur]

Hello and welcome to TSF.:smile:

Apologies for the delay in response. If you haven’t received help elsewhere already and still require assistance, please post the logs requested in our pre-posting process outlined below:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don’t hear from you in three days this thread will be closed.

 

[Dell4600]

amateur,
maybe im missing something here but i tried uploading gmer.txt and it did not work? please help. Thanks

 

[amateur]

Just copy and paste it in your post then.

 

[Dell4600]

here are the results. and thanks for hte quick replies man.

 

[amateur]

Please post the DDS.txt too.

 

[Dell4600]

ah im sorry i forgot that.
i cant post it by uploading, but i copied and paste this.
DDS (Version 1.0) - NTFSx86
Run by Thomas Cao at 20:22:47.81 on Mon 11/24/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.557 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Thomas Cao\Desktop\Security\dds.scr

============== Psuedo HJT Report ===============

uLocal Page = www.yahoo.com
uStart Page = www.yahoo.com
uSearch Page = www.yahoo.com
uDefault_Search_URL = www.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {64466B8E-20A7-4A4A-AFF4-AAD9CA68B52C} - c:\program files\webmediaviewer\hpmun.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_04\bin\ssv.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_04\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
mExplorerRun: [VMware hptray] c:\program files\webmediaviewer\hpmon.exe
IE: Search on TER - file:///c:\program files\Search On TER/search.html
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys
S3 GoToAssist;GoToAssist;"c:\program files\citrix\gotoassist\480\g2aservice.exe" Start=service
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys

=============== Created Last 30 ================

2008-11-20 22:53 249,592 a------- c:\windows\system32\cssdll32.dll
2008-11-20 22:53 <DIR> --d----- c:\program files\AskBarDis
2008-11-20 22:52 143,096 a------- c:\windows\system32\guard32.dll
2008-11-20 22:52 99,216 a------- c:\windows\system32\drivers\cmdguard.sys
2008-11-20 22:52 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-11-20 22:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2008-11-20 22:51 <DIR> --d----- c:\program files\COMODO
2008-11-20 22:41 <DIR> --d----- C:\fsaua.data
2008-11-20 18:35 3,058 a------- c:\windows\system32\tmp.reg
2008-11-20 17:39 <DIR> --d----- c:\program files\trend micro
2008-11-19 23:27 <DIR> --d----- c:\program files\XoftSpySE
2008-11-19 22:35 250 a------- c:\windows\gmer.ini
2008-11-19 21:52 <DIR> --d----- c:\program files\WinAce
2008-11-19 20:54 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-18 20:47 <DIR> --d----- c:\program files\WebMediaViewer
2008-11-11 21:28 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 21:28 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-11-24 16:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-11-19 22:20 <DIR> --d----- c:\docume~1\thomas~1\applic~1\LimeWire
2008-11-19 22:16 <DIR> --d----- c:\program files\LimeWire
2008-11-18 21:08 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 20:10 <DIR> --d----- c:\program files\iTunes
2008-10-15 20:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-15 20:10 <DIR> --d----- c:\program files\iPod
2008-10-15 19:45 <DIR> --d----- c:\program files\Bonjour
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 09:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-08-27 22:51 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-03-02 17:11 <DIR> --d----- c:\docume~1\thomas~1\applic~1\vghd
2008-02-25 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2008-04-29 19:11 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-04-29 19:11 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-04-29 19:11 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:26:46.21 ===============

 

[amateur]

Hi,

Please go to Start>Control Panel>Add or Remove Programs and remove the following:

WebMediaViewer

Web Media Viewer is a fake codec that installs or advertises rogue anti-spyware software. Further info: http://www.bleepingcomputer.com/uninstall/13131/Web-Media-Viewer.html

======================

Your logs indicate the presence of a p2p file sharing program, i.e. LimeWire. With reference to our NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help, I would strongly recommend that you remove it via Add or Remove Programs in Control Panel.

p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link

======================

Once those programs are uninstalled/removed, restart the computer and then delete the following folders, if still present:

C:\Program Files\WebMediaViewer
c:\program files\LimeWire

======================

You have some old versions of java running. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
• A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 10.

Delete JavaRa.Zip, and the unzipped JavaRa.exe. We're done with it now.

=======================

Post a fresh HijackThis log and let me know if the adverts have stopped.

 

[Dell4600]

amateur, WebMediaViewer its not listed in the add and remove, also I found the folder but couldnt delete it?

and Java runtime, i couldnt download the first step, only second and third. Heres dds, gmer is giving me a problem again

 

[amateur]

Hi,

I don't need the GMER log again at this point. Please download ComboFix from here .

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled afterwards. A reboot should have done this.

 

[Dell4600]

Hey amateur, thanks for your help and heres the combo log.

 

[amateur]

Hi,

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Folder::
C:\fsaua.data
c:\program files\WebMediaViewer
c:\documents and settings\Thomas Cao\Application Data\LimeWire

DirLook::
c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================================

Java runtime, i couldnt download the first step, only second and third.

I am not sure what exactly you mean here. Were you not able to download and run JavaRa?

==================================

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

===================================

Please post back the Combofix.txt, Kaspersky report and a fresh DDS.txt. Also let me know if the adverts have stopped.

PS. Please do not attach the files unless specifically asked to do so. It's much easier for us to review it if it's copy/pasted into the post.

 

[Dell4600]

amateur,
I dont know how to get the kaspersky log, but i got the combofix and dds
ComboFix 08-11-26.03 - Thomas Cao 2008-11-26 17:26:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.688 [GMT -5:00]
Running from: c:\documents and settings\Thomas Cao\My Documents\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\iiffEttq.dll
c:\windows\Tasks\cvrvyokn.job

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 17:23 . 2008-11-26 17:24 <DIR> d--hs---- c:\documents and settings\Thomas Cao\CCAFBF4419BECE80
2008-11-26 17:23 . 2008-11-26 17:23 34,816 --a------ c:\windows\system32\awtsTMdb.dll
2008-11-25 22:46 . 2008-11-25 22:46 <DIR> d-------- c:\windows\Sun
2008-11-25 22:43 . 2008-11-25 22:42 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-24 23:32 . 2008-11-25 22:29 <DIR> d-------- c:\documents and settings\Thomas Cao\.SunDownloadManager
2008-11-20 22:53 . 2008-11-20 22:53 249,592 --a------ c:\windows\system32\cssdll32.dll
2008-11-20 22:52 . 2008-11-26 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\comodo
2008-11-20 22:51 . 2008-11-26 17:22 <DIR> d-------- c:\program files\COMODO
2008-11-20 18:35 . 2008-11-20 21:41 3,058 --a------ c:\windows\system32\tmp.reg
2008-11-20 17:39 . 2008-11-20 17:39 <DIR> d-------- C:\rsit
2008-11-20 17:39 . 2008-11-20 17:39 <DIR> d-------- c:\program files\trend micro
2008-11-20 00:19 . 2008-11-20 00:19 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-19 23:27 . 2008-11-19 23:36 <DIR> d-------- c:\program files\XoftSpySE
2008-11-19 22:35 . 2008-11-24 23:59 250 --a------ c:\windows\gmer.ini
2008-11-19 21:52 . 2008-11-19 21:56 <DIR> d-------- c:\program files\WinAce
2008-11-19 20:55 . 2008-11-25 17:47 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-19 20:54 . 2008-11-25 17:47 <DIR> d-------- c:\program files\SpywareBlaster
2008-11-11 21:28 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 21:28 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 22:29 41,608,480 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-11-26 22:29 1,153,824 --sha-w c:\windows\system32\drivers\fidbox2.dat
2008-11-26 22:23 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-26 22:22 557,612 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-11-26 22:22 108,932 --sha-w c:\windows\system32\drivers\fidbox2.idx
2008-11-26 03:42 --------- d-----w c:\program files\Java
2008-11-20 03:20 --------- d-----w c:\documents and settings\Thomas Cao\Application Data\LimeWire
2008-11-19 02:08 --------- d-----w c:\program files\Windows Media Connect 2
2008-11-10 17:36 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:10 --------- d-----w c:\program files\iTunes
2008-10-16 01:10 --------- d-----w c:\program files\iPod
2008-10-16 01:06 --------- d-----w c:\program files\QuickTime
2008-10-16 01:05 --------- d-----w c:\program files\Common Files\Apple
2008-10-16 00:45 --------- d-----w c:\program files\Bonjour
2008-10-04 15:19 --------- d-----w c:\documents and settings\Thomas Cao\Application Data\CyberLink
2008-10-04 15:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-04 15:18 --------- d-----w c:\program files\CyberLink
2008-10-01 17:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 14:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 13:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( [email protected]_14.44.08.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-14 05:57:22 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-11-26 03:42:44 144,792 ----a-w c:\windows\system32\java.exe
- 2007-12-14 05:57:24 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-26 03:42:44 144,792 ----a-w c:\windows\system32\javaw.exe
- 2007-12-14 06:59:16 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-26 03:42:44 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-26 22:23:05 16,384 ----atw c:\windows\temp\Perflib_Perfdata_260.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-25 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-26 185896]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-11-20 278264]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\awtsTMdb.dll" [2008-11-26 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-02-25 10:59 10792 c:\program files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsTMdb]
2008-11-26 17:23 34816 c:\windows\system32\awtsTMdb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\kav\\kav7\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 CCAFBF4419BECE80;CCAFBF4419BECE80;\??\c:\documents and settings\Thomas Cao\CCAFBF4419BECE80\CCAFBF4419BECE80 []
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2007-12-13 24592]
S3 GoToAssist;GoToAssist;"c:\program files\Citrix\GoToAssist\480\g2aservice.exe" Start=service [2008-02-25 16936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - CCAFBF4419BECE80
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-11-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-13 19:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-QuickTime Task - c:\program files\WebMediaViewer\qttask.exe


.
------- File Associations -------
.
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 17:29:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\CCAFBF4419BECE80]
"ImagePath"="\??\c:\documents and settings\Thomas Cao\CCAFBF4419BECE80\CCAFBF4419BECE80"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1328)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\480\G2AWinLogon.dll
c:\windows\system32\klogon.dll
c:\windows\system32\awtsTMdb.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll

- - - - - - - > 'lsass.exe'(1384)
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll
.
Completion time: 2008-11-26 17:31:06
ComboFix-quarantined-files.txt 2008-11-26 22:31:02
ComboFix2.txt 2008-11-25 19:45:42

Pre-Run: 61,689,884,672 bytes free
Post-Run: 61,781,876,736 bytes free

171 --- E O F --- 2008-11-12 04:19:10

 

[Dell4600]

from the dds log

DDS (Version 1.0) - NTFSx86
Run by Thomas Cao at 17:15:01.95 on Wed 11/26/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.676 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Thomas Cao\My Documents\Combo-Fix.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Thomas Cao\Desktop\Security\dds.scr

============== Psuedo HJT Report ===============

uLocal Page = www.yahoo.com
uStart Page = www.yahoo.com
uSearch Page = www.yahoo.com
uDefault_Search_URL = www.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
mExplorerRun: [QuickTime Task] c:\program files\webmediaviewer\qttask.exe
IE: Search on TER - file:///c:\program files\Search On TER/search.html
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {3B8FB116-D358-48A3-A5C7-DB84F15CBB04} - http://www.ietoolexpress.com/redirect.php
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys
S3 GoToAssist;GoToAssist;"c:\program files\citrix\gotoassist\480\g2aservice.exe" Start=service

=============== Created Last 30 ================

2008-11-26 17:12 389,120 a------- c:\windows\system32\CF11055.exe
2008-11-26 17:12 199 a------- C:\Start_.cmd
2008-11-26 17:11 389,120 a------- c:\windows\system32\cmd.execf
2008-11-25 22:43 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-25 14:57 143,096 a------- c:\windows\system32\guard32.dll
2008-11-25 14:57 99,216 a------- c:\windows\system32\drivers\cmdguard.sys
2008-11-25 14:57 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-11-25 14:35 <DIR> --d----- C:\cmdcons
2008-11-25 14:33 161,792 a------- c:\windows\SWREG.exe
2008-11-25 14:33 98,816 a------- c:\windows\sed.exe
2008-11-24 23:32 <DIR> --d----- c:\documents and settings\thomas cao\.SunDownloadManager
2008-11-20 22:53 249,592 a------- c:\windows\system32\cssdll32.dll
2008-11-20 22:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\comodo
2008-11-20 22:51 <DIR> --d----- c:\program files\COMODO
2008-11-20 18:35 3,058 a------- c:\windows\system32\tmp.reg
2008-11-20 17:39 <DIR> --d----- c:\program files\trend micro
2008-11-19 23:27 <DIR> --d----- c:\program files\XoftSpySE
2008-11-19 22:35 250 a------- c:\windows\gmer.ini
2008-11-19 21:52 <DIR> --d----- c:\program files\WinAce
2008-11-19 20:54 <DIR> --d----- c:\program files\SpywareBlaster
2008-11-18 20:47 <DIR> --d----- c:\program files\WebMediaViewer
2008-11-11 21:28 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 21:28 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll

==================== Find3M ====================

2008-11-26 17:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2008-11-19 22:20 <DIR> --d----- c:\docume~1\thomas~1\applic~1\LimeWire
2008-11-18 21:08 <DIR> --d----- c:\program files\Windows Media Connect 2
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 20:10 <DIR> --d----- c:\program files\iTunes
2008-10-15 20:10 <DIR> --d----- c:\program files\iPod
2008-10-15 19:45 <DIR> --d----- c:\program files\Bonjour
2008-09-15 07:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 20:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 12:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-08-29 09:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-08-29 08:53 61,440 a------- c:\windows\system32\dnssd.dll
2008-03-02 17:11 <DIR> --d----- c:\docume~1\thomas~1\applic~1\vghd
2008-02-25 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix

============= FINISH: 17:16:10.17 ===============

 

[amateur]

Hi,

Are you still getting the malware ads?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won't work)
• Copy the entire contents of the Code Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop
• Click Format and ensure Wordwrap is unchecked.

File::
c:\windows\system32\awtsTMdb.dll

Folder::
c:\docume~1\thomas~1\applic~1\LimeWire

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\CCAFBF4419BECE80]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsTMdb]

Driver::
CCAFBF4419BECE80

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will be required in your next post.

=================================

I dont know how to get the kaspersky log

As stated in my previous instructions:

• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text

button to save the file to your desktop so that you may post it in your next reply.

Please try again. If not successful, you can try the following online scanner.

Please go here to run an online scannner from ESET.

• Note: You will need to use Internet explorer for this scan
• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
• Click Scan
• Wait for the scan to finish
• Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic and also let me know how things are now.

=============================

Please post back the Combofix.txt, and the Kaspersky and/or ESET report .

 

[Dell4600]

Hey amateur,
i have a major problem after i ran the combofix and rebooted, Ive lost my connections, and im unable to get online? Im using my bros desktop. Please help

 

[amateur]

That's odd. I can't see anything that would cause that.

Go to Start → Run → paste in the single line command & click OK

netsh winsock reset catalog

Reboot the machine

 

[Dell4600]

ah it did not work. Im totally confuse now?

 

[amateur]

Combofix sets a system restore point before it runs. Try using that to restore it back.

1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.
7. Click OK.

Let me know if you've got your internet connection back.

 

[Dell4600]

no that didnt work either.:upset::sigh: