possible adware.e404 & backdoor.VB.GRP infection

View previous topic View next topic Go down

Solved possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 9:54 am

Greetings, I'm hoping you will be bale to help me out in getting rid of some infections I picked up when attempting to download WINRAR on 30/12/2008 in order to view a torrent I had downloaded. I noticed the problem when IE was redirected to a Microsoft security center page. I ran Norton 360 and it removed a backdoor.trojan. I changed the home pages back to the correct address and at first thought i had the problem fixed. I then joined your website and took some advise to switch to Firefox and download noadware. Both these programs identified further infections but wanted a fee paid (membership reg) in order to fix the problems. Given the infections I'm very hesitant to look at my internet banking let alone put credit card details into the programs websites in order for them to fix the problems. So I then found a further program on PCtools website (claiming 100% free) called spyware doctor. Turns out its not free to get the fix just to identify the adware and backdoor.VB.GRP.

Can anyone one help me with this. attached is my Hijack this log and I'll add on my uninstall list.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:55 PM, on 3/01/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\alg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Users\Ciaron\Program Files\DNA\btdna.exe
C:\Users\Ciaron\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Ciaron\Downloads\hijackgpthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 10.1.1.1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 antispyware.com
O1 - Hosts: 61.157.217.210 antispy.com
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.16.197.121 [You must be registered and logged in to see this link.]
O1 - Hosts: 61.157.217.210 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O1 - Hosts: 123.251.143.110 [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CmjBrowserHelperObject Object - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Ciaron\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Ciaron\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 11553 bytes
Thank You! Thank You!

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 9:56 am

Hi uninstall list according to Hi Jack this as recommended.
cheers!

2007 Microsoft Office system
3 Mobile Broadband
3Planesoft Screensaver Manager 1.1
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
AppCore
Apple Mobile Device Support
Apple Software Update
Bonjour
Caricature Studio 3.0
ccCommon
CCHelp
CCScore
Component Framework
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESShelp
ESSini
ESSPCD
ESSSONIC
HijackThis 2.0.2
HLPIndex
HLPRFO
iTunes
Kodak EasyShare software
KSU
LG PC Sync
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel 2007
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mindjet MindManager Pro 7
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
NoAdware v5.0
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
Notifier
NVIDIA Drivers
OTtBP
OTtBPSDK
PCDADDIN
PCDHELP
PCDLNCH
PDF-XChange 3
Planetairum Gold
QuickTime
Realtek High Definition Audio Driver
Rome - Total War - Gold Edition
SFR2
SPBBC 32bit
Spybot - Search & Destroy
Spyware Doctor 6.0
Spyware Terminator
SpywareGuard v2.2
Tropical Fish 3D Screensaver 1.1
WinRAR archiver

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 3:02 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Download HostsXpert from [You must be registered and logged in to see this link.]

  • Unzip it.
  • Right click the program > "Run as administrator" to open the program.
  • If "Make writeable?" is shown in red at the top, click it to make writeable.
  • Press "Restore MS Hosts File"
  • OK the prompt.
  • Then click on "Make read only"
  • Exit HostXpert.


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 5:18 pm

Greetings Belahzur I’ve followed your steps 1,2,3,& 4. No prompts when I Unchecked "Resident TeaTimer". I re opened and it is indeed no longer checked.

I'm sorry but I forgot to note i had run Malware previously (after I had read your system security recommendations). This time I ran updates again and quick scan as you have advised. Nothing was located. The following is a log for Malware.

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 6.0.6001 Service Pack 1

4/01/2009 2:14:37 AM
mbam-log-2009-01-04 (02-14-37).txt

Scan type: Quick Scan
Objects scanned: 51363
Time elapsed: 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 5:24 pm

Hello.
MBAM scan is clean. Did HostXPert work?


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 5:31 pm

Hey, yeah HostXperrt worked fine, I should have mentioned that.
Here is the DDs Lod

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 18/08/2008 6:31:56 PM
System Uptime: 1/04/2009 1:37:42 AM (-2087 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-N650SLI-DS4L
Processor: Intel(R) Core(TM)2 Duo CPU E6850 @ 3.00GHz | Socket 775 | 2000/333mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 205.904 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP149: 12/11/2008 7:59:58 PM - Installed Microsoft Office Excel 2007
RP151: 12/11/2008 8:01:41 PM - Installed Microsoft Office Excel 2007
RP152: 15/11/2008 11:20:35 AM - Scheduled Checkpoint
RP153: 19/11/2008 6:41:31 PM - Scheduled Checkpoint
RP154: 22/11/2008 4:37:40 PM - Scheduled Checkpoint
RP155: 23/11/2008 5:56:34 PM - Scheduled Checkpoint
RP156: 3/12/2008 6:48:37 PM - Installed Caricature Studio 3.0
RP157: 9/12/2008 9:25:01 PM - Scheduled Checkpoint
RP158: 22/12/2008 11:57:51 PM - Windows Update
RP159: 23/12/2008 12:42:34 PM - Windows Update
RP160: 24/12/2008 2:45:53 PM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP162: 24/12/2008 4:58:51 PM - Installed ActiveSpeed
RP163: 26/12/2008 8:08:56 PM - Scheduled Checkpoint
RP164: 27/12/2008 8:23:21 PM - Scheduled Checkpoint
RP166: 29/12/2008 11:10:37 AM - Removed ActiveSpeed
RP167: 30/12/2008 11:31:49 AM - Scheduled Checkpoint
RP168: 1/01/2009 5:39:08 PM - Scheduled Checkpoint
RP169: 1/01/2009 7:22:05 PM - Windows Update
RP170: 2/01/2009 5:26:02 PM - Scheduled Checkpoint
RP171: 3/01/2009 5:45:30 PM - Scheduled Checkpoint

==== Installed Programs ======================

2007 Microsoft Office system
3 Mobile Broadband
3Planesoft Screensaver Manager 1.1
Activation Assistant for the 2007 Microsoft Office suites
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AppCore
Apple Mobile Device Support
Apple Software Update
µTorrent
Bonjour
Caricature Studio 3.0
ccCommon
CCHelp
CCScore
Component Framework
DNA
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESShelp
ESSini
ESSPCD
ESSSONIC
Google Chrome
HijackThis 2.0.2
HLPIndex
HLPRFO
ISScript
iTunes
Kodak EasyShare software
KSU
LG PC Sync
LightScribe System Software 1.10.13.1
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Mindjet MindManager Pro 7
Mozilla Firefox (3.0.5)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nero 7 Essentials
neroxml
NoAdware v5.0
Norton AntiVirus
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Help
Norton Protection Center
Notifier
NVIDIA Drivers
OTtBP
OTtBPSDK
PCDADDIN
PCDHELP
PCDLNCH
PDF-XChange 3
Planetairum Gold
QuickTime
Realtek High Definition Audio Driver
Rome - Total War - Gold Edition
SFR2
SPBBC 32bit
Spybot - Search & Destroy
Spyware Doctor 6.0
Spyware Terminator
SpywareGuard v2.2
Symantec Real Time Storage Protection Component
SymNet
Tropical Fish 3D Screensaver 1.1
WinRAR archiver

==== Event Viewer Messages From Past Week ========

28/12/2008 12:01:47 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
28/12/2008 1:43:24 AM, Error: EventLog [6008] - The previous system shutdown at 1:31:34 AM on 28/12/2008 was unexpected.
30/12/2008 5:31:44 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{3BE86ADD-7394-4232-8CA4-6442880704FF} because another computer on the network has the same name. The server could not start.
30/12/2008 9:57:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
30/12/2008 9:57:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
30/12/2008 9:57:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
30/12/2008 9:57:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
30/12/2008 9:57:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
30/12/2008 9:57:42 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
30/12/2008 9:57:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC eeCtrl NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb SPBBCDrv spldr SRTSPX SymIM SYMTDI Tcpip tdx Wanarpv6
2/01/2009 12:25:27 PM, Error: EventLog [6008] - The previous system shutdown at 12:24:01 PM on 2/01/2009 was unexpected.
4/01/2009 1:38:13 AM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Ciaron\AppData\Local\Microsoft\Windows\UsrClass.dat' was corrupted and it has been recovered. Some data might have been lost.

==== End Of File ===========================

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 5:49 pm

Hello.
You've posted attach.txt, but I need to see DDS.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 6:07 pm

Sorry mate, is this right?


DDS (Version 1.1.0) - NTFSx86
Run by Ciaron at 3:03:42.95 on Sun 04/01/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.3327.2195 [GMT 9:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\alg.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Users\Ciaron\Program Files\DNA\btdna.exe
C:\Users\Ciaron\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ciaron\Downloads\dds(2).com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uSearch Page = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mLocal Page = \blank.htm
mDefault_Search_URL = [You must be registered and logged in to see this link.]
mSearch Page = [You must be registered and logged in to see this link.]
mSearch Bar =
mSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mSearchURL = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CmjBrowserHelperObject Object: {07a11d74-9d25-4fea-a833-8b0d76a5577a} - c:\program files\mindjet\mindmanager 7\Mm7InternetExplorer.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
uRun: [BitTorrent DNA] "c:\users\ciaron\program files\dna\btdna.exe"
uRun: [Google Update] "c:\users\ciaron\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
StartupFolder: c:\users\ciaron\appdata\roaming\micros~1\windows\startm~1\programs\startup\spywar~1.lnk - c:\program files\spywareguard\sgmain.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - c:\program files\mindjet\mindmanager 7\Mm7InternetExplorer.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ciaron\appdata\roaming\mozilla\firefox\profiles\4bkulkdt.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\users\ciaron\appdata\local\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\users\ciaron\program files\dna\plugins\npbtdna.dll

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081220.001\IDSvix86.sys [2008-12-22 270384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-2 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-6-13 41008]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\common files\symantec shared\CCSVCHST.EXE [2007-8-25 149352]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-2 356920]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-5-30 23888]

=============== Created Last 30 ================

2009-01-02 18:35 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys
2009-01-02 18:35 --d----- c:\users\ciaron\appdata\roaming\Spyware Terminator
2009-01-02 18:35 --d----- c:\programdata\Spyware Terminator
2009-01-02 18:35 --d----- c:\progra~2\Spyware Terminator
2009-01-02 18:35 --d----- c:\program files\Spyware Terminator
2009-01-02 18:12 a-d----- c:\programdata\TEMP
2009-01-02 18:12 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-02 18:12 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-02 18:12 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-02 18:12 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-02 18:12 --d----- c:\users\ciaron\appdata\roaming\PC Tools
2009-01-02 18:12 --d----- c:\program files\Spyware Doctor
2009-01-01 22:13 --d----- c:\programdata\Spybot - Search & Destroy
2009-01-01 22:13 --d----- c:\program files\Spybot - Search & Destroy
2009-01-01 22:13 --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-01 22:06 --d----- c:\program files\SpywareGuard
2009-01-01 20:11 --d----- c:\program files\NoAdware
2009-01-01 19:24 3,636 a------- c:\windows\system32\drivers\nvphy.bin
2009-01-01 19:23 1,108,512 a------- c:\windows\system32\nvcpluir.dll
2009-01-01 18:05 --d----- c:\users\ciaron\appdata\roaming\Malwarebytes
2009-01-01 18:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-01 18:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 18:05 --d----- c:\programdata\Malwarebytes
2009-01-01 18:05 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 18:05 --d----- c:\progra~2\Malwarebytes
2008-12-30 16:34 --d----- c:\program files\uTorrent
2008-12-30 16:34 --d----- c:\users\ciaron\appdata\roaming\uTorrent
2008-12-27 11:16 --d----- c:\windows\pss
2008-12-24 16:59 303,104 a------- c:\windows\system32\ciplListBar.ocx
2008-12-24 16:59 224,016 a------- c:\windows\system32\tabctl32.ocx
2008-12-24 16:59 155,648 a------- c:\windows\system32\ciplImageList.ocx
2008-12-24 14:49 --d----- c:\program files\Bonjour
2008-12-24 14:48 --d----- c:\program files\iPod
2008-12-24 14:48 --d----- c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-24 14:48 --d----- c:\program files\iTunes
2008-12-24 14:48 --d----- c:\progra~2\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 12:45 2,048 a------- c:\windows\system32\tzres.dll
2008-12-22 23:58 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-12-22 23:58 83,456 a------- c:\windows\system32\wudriver.dll
2008-12-22 23:58 162,064 a------- c:\windows\system32\wuwebv.dll
2008-12-22 23:58 31,232 a------- c:\windows\system32\wuapp.exe
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll

==================== Find3M ====================

2009-01-01 19:24 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-01 19:24 51,200 a------- c:\windows\inf\infpub.dat
2009-01-01 19:24 86,016 a------- c:\windows\inf\infstor.dat
2008-11-01 12:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 12:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 12:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 12:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 12:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-11-01 12:44 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-11-01 10:21 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-10-29 15:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-22 12:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 14:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 14:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 13:47 827,392 a------- c:\windows\system32\wininet.dll
2008-09-30 11:16 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 11:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 21:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 21:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 21:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 21:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 18:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 18:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 3:04:17.25 ===============

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 6:10 pm

Okay, nothing there. Lets run a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 6:21 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 6:25 pm

Hello.
No rootkits.

Still having problems?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 6:38 pm

Hi, well the web page my wife has been trying to get into, FACEBOOK, is no longer in Japanese. But I just ran Spyware Doctor and it claims that i have 5 infections, down from 45 thankyou!, and it labels them , still, as Adware.E404.
cheers

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 6:42 pm

They may just be leftovers, have Spyware Doctor kill them and see if they return.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 6:53 pm

anyway to do that without paying for spyware register?

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 6:57 pm

Update MBAM, then scan with it, see if that removes anything.
Or if not, does spyware doctor tell you where it's found the infection?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sat Jan 03, 2009 7:20 pm

update done, nothing found. Log pasted below.

I've re-typed what spy doc had to say as top location. I could not cut and paste.

Registry Value
HKEY-USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}\iexplore, Type

HKEY-USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}\iexplore, Flags

HKEY-USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}\iexplore, Time
Registry Key
HKEY-USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}\iexplore

HKEY-USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}





-----------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1602
Windows 6.0.6001 Service Pack 1

4/01/2009 4:18:14 AM
mbam-log-2009-01-04 (04-18-14).txt

Scan type: Quick Scan
Objects scanned: 51168
Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sat Jan 03, 2009 7:30 pm


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}]
    [-HKEY_USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}]
    [-HKEY_USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}]
    [-HKEY_USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}]
    [-HKEY_USERS\S-1-5-21-2101775472-623473062-491455594-1002\Software\Microsoft\Windows\Currentversion\Ext\Stats\{446EF370-1987-49DB-AAFF-8EC680903F7A}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Does Spyware Doctor find them now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Sun Jan 04, 2009 4:37 am

Hi again, ok I've run the fix.reg and Spyware Doctor did not pick up any infections at all. However I have just run NoaAware, with update, and it has picked up 29 problems, 27 of which are registry. NoAdware doesn't seem to create reports. so here are a couple, are these anything to worry about given not picked up by anything else
Thanks for your help to date, no errors showing at the moment


This Item was listed as sever danger

ITEM: bubba.wintools or adware-win Tools Location:HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Internet Explorer\Main\IEWatsonEnabled
ITEM:


This item listed as NOT CRITICAL
ITEM:GameSpy Arcade
Location:
HKEY_LOCAL_MACHINE\software\classes\.apk
HKEY_LOCAL_MACHINE\software\classes\.arcade
HKEY_LOCAL_MACHINE\software\classes\.asn
HKEY_LOCAL_MACHINE\software\classes\dsid\{a50329c7-bcc5-11d5-a481-000102c260cc}
HKEY_LOCAL_MACHINE\software\classes\gsalaunch.document
HKEY_LOCAL_MACHINE\software\classes\gsalaunch.document\shell
HKEY_LOCAL_MACHINE\software\classes\gsalaunch.document\shell\launch
HKEY_LOCAL_MACHINE\software\classes\gsapak.document
HKEY_LOCAL_MACHINE\software\classes\gsarcade
HKEY_LOCAL_MACHINE\software\classes\gsaskin.document\defaulticon
another 10 or so of this gamespy aracade
this was listed but appears to be Norton
C:\Windows\Temp\symlcsv1

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Sun Jan 04, 2009 1:56 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Noadware


Noadware is considered a rogue and shouldn't be trusted, it's known for tons of false positives.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Mon Jan 05, 2009 11:06 am

Done.

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by the duke of paddy on Mon Jan 05, 2009 11:34 am

Just ran Spy Doctor, scan was clean. Malwarebytes' Antimalware also comes up clean after a full scan.
It seems you've fixed my PC, maybe I was wrong about half Elfves, thanks heaps Belahzur! your a champ!

the duke of paddy
Novice
Novice

Status :
Online
Offline

Posts : 12
Joined : 2009-01-01
Gender : Male
OS : vista

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Belahzur on Mon Jan 05, 2009 3:06 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: possible adware.e404 & backdoor.VB.GRP infection

Post by Doctor Inferno on Sat Feb 21, 2009 10:05 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum