Malware/Adware

View previous topic View next topic Go down

Malware/Adware

Post by veronicaford on 4th January 2010, 4:39 pm

Hello, I seem to have picked up some kind of malware/adware, which I think keeps automatically downloading itself onto my computer whilst pretending to be an anti-virus programme. It's also installing random things and adding links to porn on my desktop. I don't know how (or maybe this is just me being thick - but it seems to have turned off my firewall and other internet security settings.

Here's the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:14, on 04/01/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18349)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DNA\btdna.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Users\Dudey\AppData\Local\Temp\settdebugx.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Users\Dudey\AppData\Local\Temp\wscsvc32.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Dudey\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavProgress.exe
C:\Users\Dudey\Downloads\winlogon.scr
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hȋdden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [settdebugx.exe] C:\Users\Dudey\AppData\Local\Temp\settdebugx.exe
O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-GB\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FsUsbExService - Teruten - C:\Windows\system32\FsUsbExService.Exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10818 bytes

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Adware

Post by Belahzur on 4th January 2010, 5:13 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [settdebugx.exe] C:\Users\Dudey\AppData\Local\Temp\settdebugx.exe
    O4 - HKCU\..\Run: [Malware Defense] "C:\Program Files\Malware Defense\mdefense.exe" -noscan



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Adware

Post by veronicaford on 4th January 2010, 7:08 pm

Okay done the HiJackThis thing but for some reason MBAM won't open. Have tried uninstalling and then reinstalling. Yikes!!!

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Adware

Post by veronicaford on 4th January 2010, 7:15 pm

Also it seems to have now deleted Sophos!

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Adware

Post by Belahzur on 4th January 2010, 7:16 pm

Don't think so, the files were still there when the Hijack This scan was taken.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Adware

Post by veronicaford on 4th January 2010, 9:49 pm

ComboFix 10-01-04.01 - Dudey 04/01/2010 21:23:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2814.1750 [GMT 0:00]
Running from: c:\users\Dudey\Documents\Uni\Bath\Work\Combo-Fix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Outdated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
SP: Sophos Anti-Virus *disabled* (Outdated) {A8CA403D-C4B1-4BBA-9FA7-B73C144CBC5C}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3926210305-1454408057-3256566471-500
c:\$recycle.bin\S-1-5-21-675323397-2753584701-1959955618-500
c:\windows\010112010146101105.rx
c:\windows\system32\drivers\H8SRTjkorrsommo.sys
c:\windows\system32\H8SRTgvpliwdpbi.dll
c:\windows\system32\H8SRThnyckcwgle.dll
c:\windows\system32\H8SRTjxehyskneu.dat
c:\windows\system32\H8SRTwemivmbxrs.dll
c:\windows\system32\MSVolumeAMP.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\srcr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-04 to 2010-01-04 )))))))))))))))))))))))))))))))
.

2010-01-04 21:34 . 2010-01-04 21:38 -------- d-----w- c:\users\Dudey\AppData\Local\temp
2010-01-04 21:34 . 2010-01-04 21:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-04 19:06 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 19:06 . 2010-01-04 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 19:06 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 15:56 . 2010-01-04 15:56 860 ----a-w- c:\windows\system32\krl32mainweq.dll
2009-12-27 20:08 . 2009-12-27 20:08 -------- d-----w- c:\program files\Lionhead Studios
2009-12-10 03:08 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 03:08 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 03:08 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 11:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 11:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-04 21:38 . 2009-01-31 12:36 27839 ----a-w- c:\programdata\nvModes.dat
2010-01-04 21:38 . 2009-02-16 18:52 -------- d-----w- c:\users\Dudey\AppData\Roaming\DNA
2010-01-04 21:38 . 2009-02-16 18:52 -------- d-----w- c:\program files\DNA
2010-01-04 16:00 . 2009-11-25 08:20 439816 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-01-04 08:13 . 2009-06-05 20:16 680 ----a-w- c:\users\Dudey\AppData\Local\d3d9caps.dat
2009-12-27 20:08 . 2008-10-26 09:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 14:42 . 2009-12-20 21:02 872960 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 14:42 . 2009-12-20 21:02 43008 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 14:42 . 2009-12-20 21:02 340480 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 14:41 . 2009-12-20 21:02 346624 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-10 03:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 03:08 . 2008-10-26 10:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-04 10:55 . 2009-12-04 10:55 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-04 10:03 . 2009-12-04 10:03 251376 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-11-30 01:03 . 2009-11-30 01:02 -------- d-----w- c:\program files\Microsoft
2009-11-25 16:20 . 2009-11-25 16:20 17245680 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\rp\RealPlayerSPGold.exe
2009-11-25 16:20 . 2009-11-25 16:20 8405312 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-11-25 16:20 . 2009-11-25 16:20 149000 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\chr_helper\LaunchHelper.exe
2009-11-25 16:20 . 2009-11-25 16:20 10309448 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\chr\ChromeInstaller.exe
2009-11-25 16:20 . 2009-11-25 16:20 79368 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-25 16:20 . 2009-11-25 16:20 64000 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gcapi_dll.dll
2009-11-25 16:20 . 2009-11-25 16:20 52288 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gtapi.dll
2009-11-25 16:20 . 2009-11-25 16:20 50688 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\fftbapi.dll
2009-11-25 16:20 . 2009-11-25 16:20 118784 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2009-11-17 14:03 . 2009-05-27 19:51 -------- d-----w- c:\program files\DivX
2009-11-17 14:02 . 2009-05-27 19:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-17 13:58 . 2009-11-17 13:58 -------- d-----w- c:\users\Dudey\AppData\Roaming\DivX
2009-11-17 13:49 . 2009-11-17 13:49 -------- d-----w- c:\program files\Google
2009-11-17 13:40 . 2009-11-17 13:40 20520 ----a-w- c:\program files\init.dat
2009-11-17 13:37 . 2009-11-17 13:37 -------- d-----w- c:\program files\19th Parallel
2009-11-09 12:04 . 2008-10-26 10:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-02 20:42 . 2009-10-03 19:35 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 03:04 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 11:55 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 11:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 11:55 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-24 11:21 . 2009-10-22 09:55 3032096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 17:18 . 2009-02-03 20:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-23 09:33 . 2009-10-23 09:34 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-02-07 22:14 . 2005-10-03 18:20 405 ----a-w- c:\program files\DND.ini
2008-07-28 15:56 . 2008-07-28 15:56 13670 ----a-w- c:\program files\Readme.txt
2005-10-10 11:34 . 2005-10-10 11:34 8746431 ----a-w- c:\program files\Dragonshard.exe
2005-07-08 03:42 . 2005-07-08 03:42 59 ----a-w- c:\program files\Dragonshard Website.url
2005-07-08 03:42 . 2005-07-08 03:42 58 ----a-w- c:\program files\Atari Support Website.url
2005-07-08 03:42 . 2005-07-08 03:42 47 ----a-w- c:\program files\Atari Website.url
2005-05-06 17:03 . 2005-05-06 17:03 224768 ----a-w- c:\program files\fpupdate.exe
2005-05-06 17:03 . 2005-05-06 17:03 172032 ----a-w- c:\program files\NxFoundation.dll
2005-05-06 17:03 . 2005-05-06 17:03 1257472 ----a-w- c:\program files\NxPhysics.dll
2005-05-06 17:03 . 2005-05-06 17:03 409600 ----a-w- c:\program files\cscheck.dll
2005-03-17 15:45 . 2005-03-17 15:45 339456 ----a-w- c:\program files\binkw32.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-10-26 10:07 . 2008-10-26 09:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-02 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2008-09-12 69632]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-10-27 2075896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-18 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-23 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-3-9 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [26/02/2009 11:35 93192]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [09/05/2008 19:17 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\System32\drivers\OA004Ufd.sys [03/06/2008 09:30 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\System32\drivers\OA004Vid.sys [17/07/2008 17:01 269760]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [26/02/2009 11:35 20288]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [22/09/2009 12:40 721904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-675323397-2753584701-1959955618-1000Core.job
- c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-02 17:06]

2010-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-675323397-2753584701-1959955618-1000UA.job
- c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-02 17:06]

2010-01-04 c:\windows\Tasks\HPCeeScheduleForDudey.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-26 18:34]

2009-12-16 c:\windows\Tasks\Wednesday 9pm Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-01-22 16:45]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\Dudey\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Dudey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NPSStartup - (no file)
SafeBoot-Wdf01000.sys
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-HijackThis - c:\users\Dudey\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-04 21:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Sophos\Sophos Anti-Virus\SavService.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\FsUsbExService.Exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\SMINST\BLService.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\WerCon.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-04 21:47:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-04 21:47

Pre-Run: 67,752,161,280 bytes free
Post-Run: 68,755,791,872 bytes free

- - End Of File - - 7AF3BD554F050BEB6DB8B8DA5E54A4F9

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Adware

Post by Belahzur on 4th January 2010, 11:13 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\krl32mainweq.dll

    NetSvc::
    ezSharedSvc

    DDS::
    uStart Page = [You must be registered and logged in to see this link.]

    Firefox::
    FF - ProfilePath - c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\
    FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Adware

Post by veronicaford on 5th January 2010, 12:35 am

ComboFix 10-01-04.01 - Dudey 05/01/2010 0:15.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2814.1635 [GMT 0:00]
Running from: c:\users\Dudey\Documents\Uni\Bath\Work\Combo-Fix.exe
Command switches used :: c:\users\Dudey\Documents\Uni\Bath\Work\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
SP: Sophos Anti-Virus *disabled* (Updated) {A8CA403D-C4B1-4BBA-9FA7-B73C144CBC5C}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\krl32mainweq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dudey\sophos76vista2010.exe
c:\windows\system32\drivers\npfnq.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cfhdlrn


((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-04 19:06 . 2009-12-30 14:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 19:06 . 2010-01-04 19:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-04 19:06 . 2009-12-30 14:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-27 20:08 . 2009-12-27 20:08 -------- d-----w- c:\program files\Lionhead Studios
2009-12-10 03:08 . 2009-11-09 13:22 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-10 03:08 . 2009-11-09 13:20 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-12-10 03:08 . 2009-11-09 11:04 411136 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 11:52 . 2009-10-07 12:41 244224 ----a-w- c:\windows\system32\rastls.dll
2009-12-09 11:52 . 2009-10-07 12:41 281600 ----a-w- c:\windows\system32\raschap.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-05 00:27 . 2009-01-31 12:21 75720 ----a-w- c:\users\Dudey\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-05 00:27 . 2009-02-16 18:52 -------- d-----w- c:\users\Dudey\AppData\Roaming\DNA
2010-01-05 00:27 . 2009-02-16 18:52 -------- d-----w- c:\program files\DNA
2010-01-05 00:26 . 2009-01-31 12:36 27839 ----a-w- c:\programdata\nvModes.dat
2010-01-04 22:02 . 2010-01-04 22:02 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-01-04 22:01 . 2010-01-04 22:01 98304 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\persistance.dll
2010-01-04 22:01 . 2010-01-04 22:01 598016 ----a-w- c:\programdata\Sophos\AutoUpdate\Cache\savxp\program files\sophos\sophos anti-virus\module retargetable folder\threatmanagement.dll
2010-01-04 21:59 . 2009-02-02 10:56 -------- d-----w- c:\programdata\Sophos
2010-01-04 21:59 . 2009-02-02 10:56 -------- d-----w- c:\program files\Sophos
2010-01-04 16:00 . 2009-11-25 08:20 439816 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\setup.exe
2010-01-04 08:13 . 2009-06-05 20:16 680 ----a-w- c:\users\Dudey\AppData\Local\d3d9caps.dat
2009-12-27 20:08 . 2008-10-26 09:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-16 14:42 . 2009-12-20 21:02 872960 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-16 14:42 . 2009-12-20 21:02 43008 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-16 14:42 . 2009-12-20 21:02 340480 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-16 14:41 . 2009-12-20 21:02 346624 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-10 03:28 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-10 03:08 . 2008-10-26 10:47 -------- d-----w- c:\programdata\Microsoft Help
2009-12-04 10:55 . 2009-12-04 10:55 784136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-12-04 10:03 . 2009-12-04 10:03 251376 ----a-w- c:\users\Dudey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-11-30 01:03 . 2009-11-30 01:02 -------- d-----w- c:\program files\Microsoft
2009-11-25 16:20 . 2009-11-25 16:20 17245680 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\rp\RealPlayerSPGold.exe
2009-11-25 16:20 . 2009-11-25 16:20 8405312 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2009-11-25 16:20 . 2009-11-25 16:20 149000 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\chr_helper\LaunchHelper.exe
2009-11-25 16:20 . 2009-11-25 16:20 10309448 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\chr\ChromeInstaller.exe
2009-11-25 16:20 . 2009-11-25 16:20 79368 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\vista.exe
2009-11-25 16:20 . 2009-11-25 16:20 64000 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gcapi_dll.dll
2009-11-25 16:20 . 2009-11-25 16:20 52288 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\gtapi.dll
2009-11-25 16:20 . 2009-11-25 16:20 50688 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\fftbapi.dll
2009-11-25 16:20 . 2009-11-25 16:20 118784 ----a-w- c:\users\Dudey\AppData\Roaming\Real\Update\setup3.09\RUP\inst_config\compat.dll
2009-11-17 14:03 . 2009-05-27 19:51 -------- d-----w- c:\program files\DivX
2009-11-17 14:02 . 2009-05-27 19:51 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-11-17 13:58 . 2009-11-17 13:58 -------- d-----w- c:\users\Dudey\AppData\Roaming\DivX
2009-11-17 13:49 . 2009-11-17 13:49 -------- d-----w- c:\program files\Google
2009-11-17 13:40 . 2009-11-17 13:40 20520 ----a-w- c:\program files\init.dat
2009-11-17 13:37 . 2009-11-17 13:37 -------- d-----w- c:\program files\19th Parallel
2009-11-09 12:04 . 2008-10-26 10:53 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-02 20:42 . 2009-10-03 19:35 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:41 . 2009-11-26 03:04 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 13:20 . 2009-12-09 11:55 833024 ----a-w- c:\windows\system32\wininet.dll
2009-10-27 13:16 . 2009-12-09 11:55 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-27 10:55 . 2009-12-09 11:55 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-10-24 11:21 . 2009-10-22 09:55 3032096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-23 17:18 . 2009-02-03 20:38 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-23 09:33 . 2009-10-23 09:34 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-02-07 22:14 . 2005-10-03 18:20 405 ----a-w- c:\program files\DND.ini
2008-07-28 15:56 . 2008-07-28 15:56 13670 ----a-w- c:\program files\Readme.txt
2005-10-10 11:34 . 2005-10-10 11:34 8746431 ----a-w- c:\program files\Dragonshard.exe
2005-07-08 03:42 . 2005-07-08 03:42 59 ----a-w- c:\program files\Dragonshard Website.url
2005-07-08 03:42 . 2005-07-08 03:42 58 ----a-w- c:\program files\Atari Support Website.url
2005-07-08 03:42 . 2005-07-08 03:42 47 ----a-w- c:\program files\Atari Website.url
2005-05-06 17:03 . 2005-05-06 17:03 224768 ----a-w- c:\program files\fpupdate.exe
2005-05-06 17:03 . 2005-05-06 17:03 172032 ----a-w- c:\program files\NxFoundation.dll
2005-05-06 17:03 . 2005-05-06 17:03 1257472 ----a-w- c:\program files\NxPhysics.dll
2005-03-17 15:45 . 2005-03-17 15:45 339456 ----a-w- c:\program files\binkw32.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-10-26 10:07 . 2008-10-26 09:53 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-02-02 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-13 323392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2008-09-12 69632]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-10-27 2075896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-11 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-11 92704]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-18 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-23 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-20 245760]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-3-9 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

R1 SAVOnAccess;SAVOnAccess;c:\windows\System32\drivers\savonaccess.sys [04/01/2010 22:00 93192]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [21/01/2008 02:23 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\System32\FsUsbExService.Exe [16/04/2009 11:37 233472]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [26/10/2008 11:10 365952]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [05/10/2009 12:22 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [04/01/2010 22:00 98304]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [26/10/2008 10:01 193840]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [16/04/2009 11:37 36512]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\System32\drivers\nvhda32v.sys [09/05/2008 19:17 43040]
R3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\System32\drivers\OA004Ufd.sys [03/06/2008 09:30 144672]
R3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\System32\drivers\OA004Vid.sys [17/07/2008 17:01 269760]
S4 SophosBootDriver;SophosBootDriver;c:\windows\System32\drivers\SophosBootDriver.sys [04/01/2010 22:20 20288]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [22/09/2009 12:40 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - FSUSBEXDISK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 18:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-675323397-2753584701-1959955618-1000Core.job
- c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-02 17:06]

2010-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-675323397-2753584701-1959955618-1000UA.job
- c:\users\Dudey\AppData\Local\Google\Update\GoogleUpdate.exe [2009-02-02 17:06]

2010-01-04 c:\windows\Tasks\HPCeeScheduleForDudey.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-26 18:34]

2010-01-05 c:\windows\Tasks\Wednesday 9pm Scan.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2010-01-04 22:00]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-GB\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\Dudey\AppData\Roaming\Mozilla\Firefox\Profiles\lpx510x9.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\users\Dudey\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\Dudey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLANExt.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-01-05 00:33:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 00:33
ComboFix2.txt 2010-01-04 21:47

Pre-Run: 67,981,942,784 bytes free
Post-Run: 67,985,285,120 bytes free

- - End Of File - - 84CBF378F3E6FEC83D99B1BF48265CDF

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware/Adware

Post by Belahzur on 5th January 2010, 12:56 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware/Adware

Post by veronicaford on 5th January 2010, 9:49 am

So much better, thank you!

veronicaford
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-10-23
OS OS : Vista
Points Points : 26135
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum