Spyware + Malware

Hello MarkoInJP,

This is a common infection, you should be able to download the necessary tools for us to assist you.

Instead of just a HijackThis scan, we prefer a more comprehensive set of logs to assist in detecting any malware that may be present.

As noted in the final step (Step 5) of our sticky topic IMPORTANT - Read This Before Posting For Malware Removal Help....

Download Deckard's System Scanner (DSS) to your Desktop.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review.
• DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:
   C:\Deckard\System Scanner\extra.txt
   ​
3. Click Upload.

Please include the following in your next reply:

main.txt
an attached extra.txt

the Log? here:

ComboFix 08-06-04.3 - Marko1 2008-06-05 17:00:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.200 [GMT 9:00]
Running from: C:\Documents and Settings\Marko1\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 68 bytes in 1 streams.
ADS - explorer.exe: deleted 132 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marko1\Application Data\macromedia\Flash Player\#SharedObjects\XVTZWC6F\www.broadcaster.com
C:\Documents and Settings\Marko1\Application Data\macromedia\Flash Player\#SharedObjects\XVTZWC6F\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Marko1\Application Data\macromedia\Flash Player\#SharedObjects\XVTZWC6F\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Marko1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Marko1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\g32.txt
C:\WINDOWS\homepage.html
C:\WINDOWS\index.html
C:\WINDOWS\promo1.html
C:\WINDOWS\promo2.html
C:\WINDOWS\promo3.html
C:\WINDOWS\promo4.html
C:\WINDOWS\promo5.html
C:\WINDOWS\promo6.html
C:\WINDOWS\promogif1.gif
C:\WINDOWS\promogif2.gif
C:\WINDOWS\promogif3.gif
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\adult.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\system32\finance.txt
C:\WINDOWS\system32\lt.res
C:\WINDOWS\system32\other.txt
C:\WINDOWS\system32\pharma.txt
C:\WINDOWS\system32\sft.res
C:\WINDOWS\system32\sn.txt
C:\WINDOWS\system32\sockins32.dll
C:\WINDOWS\system32\sockots64.dll
C:\WINDOWS\ws386.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Service_aspimgr


((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-05 16:07 . 2008-06-05 16:07 <DIR> d-------- C:\Documents and Settings\Misa\Application Data\Webroot
2008-06-05 09:35 . 2008-06-05 09:35 <DIR> d-------- C:\Documents and Settings\Bokica\Application Data\Webroot
2008-06-04 23:43 . 2008-06-04 23:43 <DIR> d-------- C:\Program Files\Webroot
2008-06-04 23:43 . 2008-06-04 23:43 <DIR> d-------- C:\Program Files\AskSBar
2008-06-04 23:43 . 2008-06-04 23:43 <DIR> d-------- C:\Documents and Settings\Marko1\Application Data\Webroot
2008-06-04 23:43 . 2008-06-04 23:43 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-06-04 23:43 . 2008-06-04 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-06-04 23:43 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-06-04 23:43 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-06-04 23:43 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-06-04 23:43 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-06-04 23:43 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-06-04 23:38 . 2008-06-04 23:38 164 --a------ C:\install.dat
2008-05-29 16:11 . 2008-05-29 16:11 <DIR> d-------- C:\Program Files\CASTLE WOLFENSTEIN
2008-05-27 16:38 . 1998-10-07 12:08 327,168 --a------ C:\WINDOWS\IsUn040c.exe
2008-05-26 21:35 . 2008-05-29 18:54 <DIR> d-------- C:\Documents and Settings\Marko1\Incomplete
2008-05-24 15:03 . 2008-05-24 15:03 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-05-24 01:42 . 2008-05-24 16:47 <DIR> d-------- C:\Documents and Settings\Marko1\Application Data\Aim
2008-05-24 01:41 . 2008-05-24 01:41 <DIR> d-------- C:\Program Files\AOD
2008-05-24 01:41 . 2008-05-24 16:47 <DIR> d-------- C:\Program Files\AIM
2008-05-11 00:34 . 2008-05-11 00:34 1,160 --a------ C:\WINDOWS\mozver.dat
2008-05-11 00:31 . 2008-05-11 00:32 <DIR> d-------- C:\Program Files\Safari
2008-05-11 00:31 . 2008-05-11 00:31 <DIR> d-------- C:\Program Files\Bonjour
2008-05-10 23:24 . 2008-05-10 23:24 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 09:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 09:47 --------- d-----w C:\Documents and Settings\Marko1\Application Data\LimeWire
2008-05-24 06:45 --------- d-----w C:\Documents and Settings\Marko1\Application Data\Apple Computer
2008-05-23 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-12 08:28 --------- d-----w C:\Documents and Settings\Misa\Application Data\Canon
2008-04-30 14:36 --------- d-----w C:\Program Files\Online TV Player 4
2008-04-30 13:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-04-30 13:16 --------- d-----w C:\Program Files\TVUPlayer
2008-04-27 14:54 --------- d-----w C:\Documents and Settings\Bokica\Application Data\LimeWire
2008-04-26 10:16 --------- d-----w C:\Documents and Settings\Marko1\Application Data\Canon
2008-04-19 14:33 --------- d-----w C:\Program Files\iTunes
2008-04-19 14:32 --------- d-----w C:\Program Files\iPod
2008-04-19 14:29 --------- d-----w C:\Program Files\QuickTime
2008-04-06 02:09 --------- d-----w C:\Program Files\Common Files\Adobe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-06-04 23:43 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" [2008-06-04 23:43 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-06-04 23:43 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 16:30 68856]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:21 1694208]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-04 01:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2005-11-24 01:33 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 06:32 455168]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-17 14:24 180269]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DVD43"="C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe" [2005-04-23 11:55 267264]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 08:56 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-20 21:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 08:56 33280 C:\WINDOWS\system32\rundll32.exe]
"pdfFactory Pro Dispatcher v1"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" [2002-10-11 11:13 364544]
"WinFaxAppPortStarter"="wfxsnt40.exe" [2000-02-14 17:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-03-11 20:27 949376]
"PestPatrol Control Center"="C:\Program Files\PestPatrol\PPControl.exe" [2004-11-15 11:49 98304]
"PestPatrolCL"="" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\Ljilja\Start Menu\Programs\Startup\
desktop(2).ini [2006-04-17 13:31:14 84]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]
--a------ 2004-07-29 15:04 2052173 C:\Program Files\Babylon\Babylon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\Program Files\\LFS\\LFS.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R0 Defrag32b;Defrag32Boot;C:\WINDOWS\system32\drivers\Defrag32b.sys [2004-10-23 09:01]
R2 Defrag32;Defrag32;C:\WINDOWS\system32\drivers\Defrag32.sys [2004-10-23 09:01]
R2 PDSched;PDScheduler;"C:\Program Files\Raxco\PerfectDisk\PDSched.exe" [2004-11-01 12:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-05 06:38]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2008-01-29 21:22]
R3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 21:12]
S3 ids00026;ids00026;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00026.sys []
S3 ids00118;ids00118;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids00118.sys []
S3 shgbus;816SH USB Control (WDM) Ver1.0.0;C:\WINDOWS\system32\DRIVERS\shgbus.sys [2007-04-16 21:23]
S3 shgmdfl;816SH USB AT Command Port Filter Ver1.0.0;C:\WINDOWS\system32\DRIVERS\shgmdfl.sys [2007-04-16 21:24]
S3 shgmdm;816SH USB AT Command Port Drivers (WDM) Ver1.0.0;C:\WINDOWS\system32\DRIVERS\shgmdm.sys [2007-04-16 21:24]
S3 shgobex;816SH USB OBEX Port Ver1.0.0;C:\WINDOWS\system32\DRIVERS\shgobex.sys [2007-04-16 21:26]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-15 06:45:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
??
???-\- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-04 14:43:55 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe&/ScheduleSweep=wrSpySweeperTrialSweep
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 17:12:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-05 17:24:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 08:24:30

Pre-Run: 9,501,728,768 bytes free
Post-Run: 11,184,398,336 bytes free

213

It's looking good. :smile:

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Before we go any further, get the Recovery Console installed on this system. The Windows recovery console will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
  
  
  
  
• At the next prompt, click 'NO' to exit ComboFix

-------------------------------------------------------------

It's also important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
      [*]Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
New HijackThis log
Update on system behavior