"Malware Defense" malware?

View previous topic View next topic Go down

"Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 9:14 pm

Hey guys, my netbook recently got infected with what I think is malware. It's a program called "Malware Defense" and is basically trying to force me to purchase a copy by saying my internet explorer (which I don't even use) is infected with a worm "Rootkit.win32.Agent.PP" It looks like a windows app and it even has the windows shield. The thing is though I downloaded malwarebytes immidiately after I saw this program pop up, but I was unable to install it. Any help would be appreciated, thanks.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 9:20 pm

Also when I try to close the program, the whole comp just locks up. So I basically have to do a hard reset every time. Should I just let the program install? Because I can't do anything otherwise. Thanks.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Wed Jan 06, 2010 10:01 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 10:04 pm

[You must be registered and logged in to see this link.] wrote:Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Belahzur, the comp seems to lock up when I try to close the malware defense program. Should I just let it install so I can at least access the comp?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 10:54 pm

I tried to close the program through Ctrl+atl+del and ending the process. But when I get to opening up firefox the comp just freezes, any suggestions? Everything, even the task manager, ends up in "Not Responding" and I'm unable to do anything except hard resets.

EDIT:

I was able to finally download Hijackthis to the machine, but now I can't open it.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Wed Jan 06, 2010 11:18 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 11:28 pm

[You must be registered and logged in to see this link.] wrote:Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

I closed the malware defense and just transfered the otl.exe via usb. However when I try to hit "run scan" it just freezes. The malware defense is still active and I believe is the one causing my system to freeze. At some point I'm able to move my mouse but I'm not able to click anything.

All I could do is perform hard resets everytime... Sad tearing

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Wed Jan 06, 2010 11:30 pm

Hello.
Lets try this in Safe Mode.

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Once in Safe Mode, try running Hijack This. If no go, try OTL instead.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 11:43 pm

Here is the OTL log:

OTL logfile created on: 1/6/2010 3:38:38 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Angelito Pangilinan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 79.99 Gb Total Space | 44.73 Gb Free Space | 55.92% Space Free | Partition Type: NTFS
Drive D: | 61.20 Gb Total Space | 38.05 Gb Free Space | 62.16% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-OCAX1O1WNC
Current User Name: Angelito Pangilinan
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/01/06 15:21:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\OTL.exe
PRC - [2008/04/14 04:00:00 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 04:00:00 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE


========== Modules (SafeList) ==========

MOD - [2010/01/06 15:21:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2008/09/02 03:26:16 | 00,346,720 | ---- | M] (Broadcom Corporation.) [Auto | Stopped] -- C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/01/04 18:48:52 | 00,112,152 | R--- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
SRV - [2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2009/06/23 15:03:15 | 00,060,572 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftser2k.sys -- (FTSER2K)
DRV - [2009/06/23 15:03:15 | 00,028,449 | ---- | M] (FTDI Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ftdibus.sys -- (FTDIBUS)
DRV - [2008/08/25 00:59:40 | 00,026,112 | ---- | M] (ELANTECH Devices Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ETD.sys -- (Ktp)
DRV - [2008/08/19 18:16:36 | 00,991,656 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2008/08/19 18:16:28 | 00,047,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2008/08/12 15:10:50 | 04,751,360 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/07/24 13:37:10 | 00,156,816 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2008/05/30 07:46:12 | 00,534,568 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2008/04/14 04:00:00 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 04:00:00 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/14 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2008/04/08 14:59:28 | 00,010,752 | ---- | M] (ASUSTeK Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASUSACPI.SYS -- (AsusACPI)
DRV - [2008/03/28 16:38:16 | 00,625,024 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rt2860.sys -- (RT80x86)
DRV - [2008/03/11 18:37:00 | 00,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l1e51x86.sys -- (L1e)
DRV - [2008/03/10 14:18:42 | 00,057,384 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwhid.sys -- (btwhid)
DRV - [2008/02/04 13:57:44 | 00,037,160 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2007/12/19 22:32:12 | 05,854,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/08/24 03:45:22 | 00,101,120 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2007/05/03 03:00:58 | 00,546,976 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/01/04 19:11:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.16\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/31 17:53:18 | 00,000,000 | ---D | M]

[2009/05/31 23:30:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angelito Pangilinan\Application Data\Mozilla\Extensions
[2010/01/04 00:56:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Angelito Pangilinan\Application Data\Mozilla\Firefox\Profiles\0tue9jez.default\extensions
[2009/09/28 17:46:40 | 00,002,160 | ---- | M] () -- C:\Documents and Settings\Angelito Pangilinan\Application Data\Mozilla\Firefox\Profiles\0tue9jez.default\searchplugins\MySpace.xml
[2009/05/31 23:30:20 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/04/16 09:07:12 | 00,180,293 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe (ASUSTeK Computer Inc.)
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCTRL.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [ETDWareDetect] C:\Program Files\Elantech\ETDDECT.EXE (ELANTECH Devices Corp.)
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [Malware Defense] C:\Program Files\Malware Defense\mdefense.exe ()
O4 - HKCU..\Run: [settdebugx.exe] C:\Documents and Settings\Angelito Pangilinan\Local Settings\Temp\settdebugx.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SuperHybridEngine.lnk = C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe (ASUSTeK Computer Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_03)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/08/09 06:50:00 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell - "" = AutoRun
O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell - "" = AutoRun
O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/01/06 15:27:03 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\OTL.exe
[2010/01/06 15:01:41 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\HJTInstall.exe
[2010/01/04 19:12:32 | 05,061,520 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\mbam-setup.exe
[2010/01/04 19:10:08 | 00,000,000 | ---D | C] -- C:\Program Files\Malware Defense
[2010/01/04 15:46:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Angelito Pangilinan\Desktop\DBZ
[2009/12/31 20:04:41 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/12/29 03:06:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/12/29 03:06:31 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/12/29 03:06:14 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/12/29 03:05:29 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/12/29 03:05:29 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/12/29 03:05:29 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/12/29 03:05:29 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/12/29 03:05:28 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/12/29 03:05:28 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/12/29 03:05:28 | 00,000,000 | ---D | C] -- C:\9bdb8e80f0b1b57487be468f
[2009/12/28 02:04:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2009/12/28 01:50:07 | 00,455,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mrxsmb.sys
[2009/12/28 01:49:08 | 02,145,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlmp.exe
[2009/12/28 01:49:07 | 02,023,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrpamp.exe
[2009/12/28 01:49:06 | 02,066,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntkrnlpa.exe
[2008/08/29 17:27:26 | 15,523,560 | ---- | C] (Macrovision Corporation) -- C:\Program Files\Install AiGuruU1 Skype Phone.exe
[2008/08/09 06:54:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008/08/09 06:54:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2008/08/09 06:49:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2008/08/09 06:49:54 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/01/06 15:37:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/06 15:31:28 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/06 15:21:10 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\OTL.exe
[2010/01/06 15:04:18 | 00,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/01/06 15:04:18 | 00,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/01/06 15:04:18 | 00,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/01/06 15:01:41 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\HJTInstall.exe
[2010/01/06 15:00:48 | 00,000,856 | ---- | M] () -- C:\WINDOWS\System32\krl32mainweq.dll
[2010/01/05 21:24:23 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/04 19:18:00 | 00,000,202 | ---- | M] () -- C:\WINDOWS\System32\srcr.dat
[2010/01/04 19:16:15 | 02,883,584 | -H-- | M] () -- C:\Documents and Settings\Angelito Pangilinan\NTUSER.DAT
[2010/01/04 19:16:15 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Angelito Pangilinan\ntuser.ini
[2010/01/04 19:12:44 | 05,061,520 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Angelito Pangilinan\Desktop\mbam-setup.exe
[2010/01/04 18:57:26 | 00,000,008 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 18:42:31 | 04,998,707 | ---- | M] () -- C:\Documents and Settings\Angelito Pangilinan\Desktop\flvplayer_setup.exe
[2010/01/04 18:39:00 | 00,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2010/01/04 15:45:35 | 00,037,592 | ---- | M] () -- C:\Documents and Settings\Angelito Pangilinan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/12/31 18:25:16 | 00,017,920 | ---- | M] () -- C:\Documents and Settings\Angelito Pangilinan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/31 17:51:58 | 00,181,832 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/12/28 23:19:49 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/28 02:04:40 | 00,000,882 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Works.lnk
[2009/12/28 01:43:33 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/12/28 01:43:33 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/12/28 01:43:33 | 00,000,211 | RHS- | M] () -- C:\boot.ini
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/04 18:58:33 | 00,000,856 | ---- | C] () -- C:\WINDOWS\System32\krl32mainweq.dll
[2010/01/04 18:57:22 | 00,000,202 | ---- | C] () -- C:\WINDOWS\System32\srcr.dat
[2010/01/04 18:57:10 | 00,000,008 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sysReserve.ini
[2010/01/04 18:42:19 | 04,998,707 | ---- | C] () -- C:\Documents and Settings\Angelito Pangilinan\Desktop\flvplayer_setup.exe
[2009/06/23 15:07:11 | 00,000,110 | ---- | C] () -- C:\WINDOWS\System32\ftdiun2k.ini
[2009/06/14 20:13:43 | 00,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ezsid.dat
[2009/05/23 02:57:23 | 00,017,920 | ---- | C] () -- C:\Documents and Settings\Angelito Pangilinan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/05/23 02:39:37 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Angelito Pangilinan\Application Data\wklnhst.dat
[2009/04/07 17:06:42 | 00,000,142 | ---- | C] () -- C:\Documents and Settings\Angelito Pangilinan\Local Settings\Application Data\fusioncache.dat
[2008/09/02 03:25:26 | 02,854,912 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2008/08/29 19:30:01 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/08/29 17:30:06 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2008/08/29 17:30:06 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2008/08/29 17:30:06 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2008/08/29 17:30:06 | 00,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2008/08/29 17:30:05 | 00,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2008/08/29 17:30:05 | 00,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2008/08/29 16:43:07 | 00,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
[2008/08/09 06:32:28 | 00,005,312 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2008/07/30 18:31:52 | 00,021,864 | ---- | C] () -- C:\WINDOWS\AsAcpiSvrLang.ini
[2008/03/17 14:54:36 | 00,012,208 | ---- | C] () -- C:\WINDOWS\AsTrayLang.ini
[2005/02/17 08:41:32 | 00,000,603 | ---- | C] () -- C:\WINDOWS\System32\BTNeighborhood.dll.manifest
[2005/02/17 08:41:30 | 00,000,593 | ---- | C] () -- C:\WINDOWS\System32\btcss.dll.manifest
[2001/11/14 09:56:00 | 01,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll
< End of report >

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 11:44 pm

Here is the Extras log:

OTL Extras logfile created on: 1/6/2010 3:38:38 PM - Run 1
OTL by OldTimer - Version 3.1.21.0 Folder = C:\Documents and Settings\Angelito Pangilinan\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 97.00% Paging File free
Paging file location(s): C:\pagefile.sys 1522 1522 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 79.99 Gb Total Space | 44.73 Gb Free Space | 55.92% Space Free | Partition Type: NTFS
Drive D: | 61.20 Gb Total Space | 38.05 Gb Free Space | 62.16% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-OCAX1O1WNC
Current User Name: Angelito Pangilinan
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\livecall.exe" = C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) -- (Microsoft Corporation)
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath -- (Skype Technologies S.A.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Documents and Settings\Angelito Pangilinan\Desktop\Poker Clock Pro\Poker Clock Pro\PokerClockPro.exe" = C:\Documents and Settings\Angelito Pangilinan\Desktop\Poker Clock Pro\Poker Clock Pro\PokerClockPro.exe:*:Enabled:PokerClockPro -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{19F5658D-92E8-4A08-8657-D38ABB1574B2}" = Asus ACPI Driver
"{2D4F6BE3-6FEF-4FE9-9D01-1406B220D08C}" = Windows Live Photo Gallery
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{587178E7-B1DF-494E-9838-FA4DD36E873C}" = ASUSUpdate for Eee PC
"{5C52CED3-D45C-4DA9-932F-B91BD44BB461}" = Adabas D 13.01.00
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.6
"{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
"{6E4DAE31-7CF3-441A-B6E5-B014D63C80CD}" = Eee Instant Key
"{84814E6B-2581-46EC-926A-823BD1C670F6}" = WIDCOMM Bluetooth Software
"{88F08F98-12BC-4613-81A2-8F9B88CFC73E}" = Super Hybrid Engine
"{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}" = Azurewave Wireless LAN
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9176251A-4CC1-4DDB-B343-B487195EB397}" = Windows Live Writer
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9510AB97-A36C-4352-8725-E72E5528FA1B}" = StarOffice 8 ASUS Edition
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{9808297E-9073-46A0-8B9D-6881D56FE8AE}" = Agent
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AC76BA86-7AD7-1033-7B44-A81100000003}" = Adobe Reader 8.1.1
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
"ABDC01C4DE4E4121C2B216984E72AE1309FB7266" = Windows Driver Package - FTDI FTDI VCP Driver Package (12/12/2005 1.00.2176)
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AIM_6" = AIM 6
"Eee Storage" = Eee Storage 1.1.15.197
"Elantech" = ETDWare PS/2-x86 7.0.3.8 WHQL 03Sep08
"FA2DBFCD1ED6293CB3AA797A094CE92CA85ABD6E" = Windows Driver Package - FTDI FTDI VCP Driver Package (12/12/2005 1.00.2176)
"FTDICOMM" = FTDI USB Serial Converter Drivers
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"Malware Defense" = Malware Defense
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mobile Partner" = Mobile Partner
"Mozilla Firefox (3.0.16)" = Mozilla Firefox (3.0.16)
"MySpaceIM" = MySpaceIM
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Live Toolbar" = Windows Live Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/28/2009 6:04:02 AM | Computer Name = YOUR-OCAX1O1WNC | Source = MsiInstaller | ID = 11316
Description = Product: Windows Live Sign-in Assistant -- Error 1316. A network error
occurred while attempting to read from the file: C:\WINDOWS\TEMP\IXP000.TMP\Install_{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}.msi

Error - 1/4/2010 11:17:19 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 1:26:47 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 6:50:15 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 6:53:49 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 6:59:49 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 7:26:33 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

Error - 1/6/2010 7:31:41 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Application Error | ID = 1000
Description = Faulting application ViewpointService.exe, version 2.0.0.54, faulting
module ViewpointService.exe, version 2.0.0.54, fault address 0x00002250.

[ System Events ]
Error - 9/27/2009 4:51:14 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/1/2009 12:34:20 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/5/2009 1:13:54 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/10/2009 4:14:14 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/13/2009 2:30:36 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/16/2009 8:55:05 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/19/2009 3:30:22 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/20/2009 8:08:30 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.0.3 for the Network Card with network
address 00248C24957B has been denied by the DHCP server 192.168.1.254 (The DHCP
Server sent a DHCPNACK message).

Error - 10/21/2009 3:30:23 AM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 10/23/2009 3:07:45 PM | Computer Name = YOUR-OCAX1O1WNC | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.


< End of report >

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Wed Jan 06, 2010 11:47 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 3
    Viewpoint Media Player

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
    O4 - HKCU..\Run: [Malware Defense] C:\Program Files\Malware Defense\mdefense.exe ()
    O4 - HKCU..\Run: [settdebugx.exe] C:\Documents and Settings\Angelito Pangilinan\Local Settings\Temp\settdebugx.exe (Microsoft Corporation)
    O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell - "" = AutoRun
    O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
    O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell - "" = AutoRun
    O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\Shell\AutoRun\command - "" = E:\AutoRun.exe -- File not found
    O33 - MountPoints2\E\Shell - "" = AutoRun
    O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
    [2010/01/04 19:10:08 | 00,000,000 | ---D | C] -- C:\Program Files\Malware Defense
    [2010/01/06 15:00:48 | 00,000,856 | ---- | M] () -- C:\WINDOWS\System32\krl32mainweq.dll

    :commands
    [emptytemp]
    [reboot]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Wed Jan 06, 2010 11:55 pm

When I tried to remove Java(TM)6 Update 3 I'm getting the following message:

"The windows installer service could not be accessed. This can occur if you are running windows in safe mode, or if the windows installer is not correctly installed. Contact your support personel for assistance."

I was able to remove viewpoint media player though.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Wed Jan 06, 2010 11:56 pm

Okay, leave that till later, it's cause your in Safe Mode, once you do the fix and reboot back to normal, you can remove the Java there.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 12:00 am

[You must be registered and logged in to see this link.] wrote:Okay, leave that till later, it's cause your in Safe Mode, once you do the fix and reboot back to normal, you can remove the Java there.

Would you like me to run the OTL with the fix while in safe mode? Or do you want me to reboot and get back in normal mode?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 12:02 am

Safe Mode please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 12:11 am

Here is the fix log:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Malware Defense deleted successfully.
C:\Program Files\Malware Defense\mdefense.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\settdebugx.exe deleted successfully.
C:\Documents and Settings\Angelito Pangilinan\Local Settings\Temp\settdebugx.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da164-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da164-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da164-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da164-2784-11de-9fc7-002243bb5762}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da167-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da167-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a66da167-2784-11de-9fc7-002243bb5762}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a66da167-2784-11de-9fc7-002243bb5762}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
File E:\LaunchU3.exe not found.
C:\Program Files\Malware Defense folder moved successfully.
C:\WINDOWS\system32\krl32mainweq.dll moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Angelito Pangilinan
->Temp folder emptied: 50971090 bytes
->Temporary Internet Files folder emptied: 197174 bytes
->Java cache emptied: 957901 bytes
->FireFox cache emptied: 58865523 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 22171082 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 23944290 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 150.00 mb


OTL by OldTimer - Version 3.1.21.0 log created on 01062010_160753

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 12:14 am

Okay, are you in normal mode now? if so, remove the old Java version now.

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the second option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.

To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 12:32 am

I deleted and installed the new java. The Malware Defense appears to be gone. Thanks a lot Belahzur, I really appreciate all the help. You're a life saver man Smile

One thing though, it seems to keep freezing though. Is this attributed to the hard resets I've done? After my first time in normal mode I tried to dl the new java and it frozen. So I ended up downloading the java from this comp and trasnfering the installer via usb. Now after I've installed the new java the machine has froze on me again. Any ideas as what the problem can be?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 12:37 am

Could be some damage from the malware too. Let me think
Post a new Hijack This log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 1:36 am

[You must be registered and logged in to see this link.] wrote:Could be some damage from the malware too. Let me think
Post a new Hijack This log please.

Sorry for the long response, I got preoccupied with a couple of things.

I just rebooted the system and it has froze on me again, I'll do another hard reset and try to run hijackthis. Although with the way it's been going I doubt hijackthis will be able to finish before it freezes again.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 1:38 am

It just now froze on the "Welcome" part of windows. Should I try to run Hijackthis in safe mode?

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 2:13 am

I switched it back to safe mode, and it's running fine (no freezing). However I'am unable to install either Hijackthis or Malwarebytes. When I double click on either installer nothing happens.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 2:01 pm

Delete the installer, then re-download it, the malware has likely messed with the installer.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 8:18 pm

[You must be registered and logged in to see this link.] wrote:Delete the installer, then re-download it, the malware has likely messed with the installer.

Ok, in case that doesn't work what should I try next? Thanks.

One thing I found also is that the malware defense is still in my start menu. However when I checked under C>programfiles though and I didn't find it there.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 8:41 pm

I re-downloaded the installers like you suggested. I couldn't get them to work in normal mode because of the freezing, but when I try them in safe mode I get the following message.

" The system administrator has set policies to prevent this installation. "

I rebooted and logged in as the administrator and I got the same message. So it seems I've hit another road block Sad tearing

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 11:17 pm

Try this instead.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 11:26 pm

[You must be registered and logged in to see this link.] wrote:Try this instead.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH LOGS back here, use more than one post if needed.

Is it alright if I do it in safe mode? I can't seem use the normal mode without it freezing up on me.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Thu Jan 07, 2010 11:27 pm

Yep. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 11:40 pm

Here is the DDS log:


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Angelito Pangilinan at 15:38:29.78 on Thu 01/07/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1773 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Angelito Pangilinan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe
mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\angeli~1\applic~1\mozilla\firefox\profiles\0tue9jez.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - hȋdden: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-8-29 625024]

=============== Created Last 30 ================

2010-01-07 00:30:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-07 00:30:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 00:09:59 857 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-07 00:07:53 0 d-----w- C:\_OTL
2010-01-05 02:57:22 202 ----a-w- c:\windows\system32\srcr.dat
2009-12-29 11:06:43 0 d-----w- c:\windows\system32\XPSViewer
2009-12-29 11:05:29 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-29 11:05:29 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-29 11:05:29 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-29 11:05:29 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-29 11:05:29 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-29 11:05:28 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-29 11:05:28 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-29 11:05:28 0 d-----w- C:\9bdb8e80f0b1b57487be468f
2009-12-28 09:50:07 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-12-28 09:49:08 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-28 09:49:07 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-28 09:49:06 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-28 09:48:19 2560 ------w- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2008-05-07 23:34:00 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe

============= FINISH: 15:39:20.15 ===============

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Thu Jan 07, 2010 11:40 pm

Here is the attach log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/7/2009 6:05:54 PM
System Uptime: 1/7/2010 3:36:43 PM (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | 1000H
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | PBGA 437 | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 80 GiB total, 45.264 GiB free.
D: is FIXED (NTFS) - 61 GiB total, 38.047 GiB free.
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP25: 10/10/2009 2:15:00 PM - System Checkpoint
RP26: 10/13/2009 9:39:18 PM - System Checkpoint
RP27: 10/16/2009 9:33:00 PM - System Checkpoint
RP28: 10/19/2009 12:45:37 AM - System Checkpoint
RP29: 10/20/2009 5:26:37 PM - System Checkpoint
RP30: 10/21/2009 5:43:18 PM - System Checkpoint
RP31: 10/23/2009 2:05:02 PM - System Checkpoint
RP32: 10/25/2009 11:10:28 PM - System Checkpoint
RP33: 10/29/2009 12:29:54 AM - System Checkpoint
RP34: 11/1/2009 9:13:38 PM - System Checkpoint
RP35: 11/2/2009 9:57:21 PM - System Checkpoint
RP36: 11/8/2009 11:05:52 PM - System Checkpoint
RP37: 11/10/2009 11:42:08 PM - System Checkpoint
RP38: 11/12/2009 9:33:47 PM - System Checkpoint
RP39: 11/13/2009 9:39:47 PM - System Checkpoint
RP40: 11/15/2009 1:33:23 PM - System Checkpoint
RP41: 11/19/2009 12:50:51 AM - System Checkpoint
RP42: 12/5/2009 2:33:40 PM - System Checkpoint
RP43: 12/5/2009 4:15:34 PM - Software Distribution Service 3.0
RP44: 12/20/2009 1:57:55 AM - System Checkpoint
RP45: 12/21/2009 2:29:49 AM - System Checkpoint
RP46: 12/22/2009 9:45:36 PM - System Checkpoint
RP47: 12/25/2009 10:14:46 PM - System Checkpoint
RP48: 12/26/2009 10:34:04 PM - System Checkpoint
RP49: 12/28/2009 1:56:44 AM - Software Distribution Service 3.0
RP50: 12/28/2009 3:16:12 PM - Software Distribution Service 3.0
RP51: 12/28/2009 5:01:56 PM - Software Distribution Service 3.0
RP52: 12/28/2009 11:18:33 PM - Software Distribution Service 3.0
RP53: 12/29/2009 3:00:15 AM - Software Distribution Service 3.0
RP54: 12/31/2009 7:26:40 PM - System Checkpoint
RP55: 12/31/2009 8:02:14 PM - Software Distribution Service 3.0
RP56: 1/1/2010 9:19:55 PM - System Checkpoint

==== Installed Programs ======================


Adabas D 13.01.00
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Agent
AIM 6
Asus ACPI Driver
ASUSUpdate for Eee PC
Atheros Communications Inc.(R) AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
Azurewave Wireless LAN
Compatibility Pack for the 2007 Office system
Eee Instant Key
Eee Storage 1.1.15.197
ETDWare PS/2-x86 7.0.3.8 WHQL 03Sep08
FTDI USB Serial Converter Drivers
Full Tilt Poker
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Intel(R) Graphics Media Accelerator Driver
InterVideo Register Manager
InterVideo WinDVD
Java(TM) 6 Update 17
Malware Defense
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft VC9 runtime libraries
Microsoft Works
Mobile Partner
Mozilla Firefox (3.0.16)
MySpaceIM
Realtek High Definition Audio Driver
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB976325)
Skype™ 3.6
StarOffice 8 ASUS Edition
Super Hybrid Engine
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WIDCOMM Bluetooth Software
Windows Driver Package - FTDI FTDI VCP Driver Package (12/12/2005 1.00.2176)
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Writer

==== Event Viewer Messages From Past Week ========

1/7/2010 12:47:46 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service COMSysApp with arguments "" in order to run the server: {182C40F0-32E4-11D0-818B-00A0C9231C29}
1/7/2010 12:39:15 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
1/7/2010 12:39:15 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/7/2010 12:39:15 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/7/2010 12:39:15 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/7/2010 12:39:15 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/6/2010 4:19:58 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
1/6/2010 3:54:07 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
1/6/2010 3:53:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
1/6/2010 3:51:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
1/6/2010 3:51:14 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/6/2010 3:39:03 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
1/6/2010 3:37:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/6/2010 3:33:09 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
1/6/2010 3:33:09 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/4/2010 5:47:11 PM, error: Dhcp [1002] - The IP address lease 192.168.0.5 for the Network Card with network address 00248C24957B has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Fri Jan 08, 2010 12:00 am

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Malware Defense

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    Viewpoint Manager Service

    :files
    c:\windows\system32\krl32mainweq.dll
    C:\_OTL
    c:\windows\system32\srcr.dat


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Fri Jan 08, 2010 12:08 am

Here is the OTM log:

========== SERVICES/DRIVERS ==========
Service Viewpoint Manager Service stopped successfully!
Service Viewpoint Manager Service deleted successfully!
========== FILES ==========
LoadLibrary failed for c:\windows\system32\krl32mainweq.dll
c:\windows\system32\krl32mainweq.dll moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_WINDOWS\system32 folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_WINDOWS folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Program Files\Malware Defense folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Program Files folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Documents and Settings\Angelito Pangilinan\Local Settings\Temp folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Documents and Settings\Angelito Pangilinan\Local Settings folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Documents and Settings\Angelito Pangilinan folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753\C_Documents and Settings folder moved successfully.
C:\_OTL\MovedFiles\01062010_160753 folder moved successfully.
C:\_OTL\MovedFiles folder moved successfully.
C:\_OTL folder moved successfully.
c:\windows\system32\srcr.dat moved successfully.

OTM by OldTimer - Version 3.1.4.0 log created on 01072010_160748

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Fri Jan 08, 2010 12:10 am

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Fri Jan 08, 2010 12:22 am

I did the OTM cleanup and then rebooted. The machine froze on the welcome part, I gave it a couple of mins to try to load and when it didn't I turned it off. Turned it back on after about 30 secs and it appears to be running fine now. I think you did it Belahzur. I really appreciate all the help man, you're awesome Smile

Would you still like me to run hijackthis and malwarebytes? Or is that no longer necessary? Also what programs should I put on this to prevent this kind of thing from happening again? I use avira anti vir on my desktop, is there anything else I should get? Should I consider using another browser other than firefox?

EDIT:

When I opened up the firefox browser an add on pop up came up. It's Microsoft .NET framework Assistant 1.1. Should I disbale it or uninstall?


Last edited by GMan316 on Fri Jan 08, 2010 12:24 am; edited 1 time in total

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by Belahzur on Fri Jan 08, 2010 12:23 am

You can run MBAM if you want to, but I doubt it will find anything [under quick scan that is, full scan would likely find infected restore points or quarantined items]


We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: "Malware Defense" malware?

Post by GMan316 on Fri Jan 08, 2010 12:33 am

Awesome, thanks again for all the help Belahzur. You're a lifesaver man.

GMan316
Intermediate
Intermediate

Status :
Online
Offline

Posts : 88
Joined : 2009-08-23
OS : Windows XP Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum