Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Elitum.EliteBar


  • This topic is locked This topic is locked
9 replies to this topic

#1 sdmoore68

sdmoore68

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 October 2009 - 02:36 AM

For some reason, Spybot Search and Destroy will not get rid of this. I've run several anti-virus software from my UBCD Boot DVD and in safe mode. There were several hundred infestations. This is the last one. Please help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:54 AM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HostsMan\hm.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -s
O4 - S-1-5-21-2957314554-1733425921-3318018444-500 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Administrator')
O4 - S-1-5-21-2957314554-1733425921-3318018444-500 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Administrator')
O4 - S-1-5-21-2957314554-1733425921-3318018444-500 User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Administrator')
O4 - S-1-5-21-2957314554-1733425921-3318018444-500 User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Administrator')
O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Open with WordPerfect - c:\Program Files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1256199578796
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 9321 bytes

    Advertisements

Register to Remove


#2 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 26 October 2009 - 07:55 PM

Hello and :welcome: Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#3 sdmoore68

sdmoore68

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 28 October 2009 - 12:38 AM

Thanks for your assistance - just installed a new adaware... will update if necessary.

#4 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 28 October 2009 - 09:12 PM

Hi ,

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

Please download ERUNT from one of the following links:
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click erunt-setup.
  • Choose a language then press Enter or click OK to continue.
  • Click Next on the Welcome window.
  • Install it using the default settings and choose No when asked to add ERUNT to the start up folder.
  • Make sure a check mark is placed beside Launch ERUNT and uncheck Show documentation.
  • Click Finish.
  • Once installed, open ERUNT.exe if it hasn't opened yet then create a registry back up.

How to create ERUNT back up:
  • Open ERUNT.exe, if it hasn't opened yet.
  • Click OK on the welcome screen.
  • Choose the default settings for the back up.
  • Make sure a check mark is placed beside System registry and Current user registry.
  • Click OK.
  • If the destination folder does not exist, ERUNT will prompt you and just click on Yes.
  • A confirmation window will popup when complete.
  • Click OK to close.

Note: To restore your registry, go to %WINDIR%\ERDNT (ex. C:\WINDOWS\ERDNT) and choose the folder which you want to restore and open ERDNT.exe

--Next--

Please download DDS by sUBs from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel.
  • Browse for the attachment file you want to upload, then click the green Upload button.
  • Once it has uploaded, click the Manage Current Attachments drop down box.
  • Click on to insert the attachment into your post

Please post both DDS logs in your next reply.

--Next--

We Need to check for Rootkits with RootRepeal
Please download RootRepeal one of these locations and save it to your desktop
Here
Here
Here
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check just these boxes:
  • Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:, and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Logs to post in your next reply:
1. DDS logs.
2. RootRepeal log.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#5 sdmoore68

sdmoore68

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 01 November 2009 - 01:25 AM

I have been unable to run the RootRepeal successfully from SAFE MODE or from a normal boot up. Is this an indication that there is an active rootkit on the machine? ------ DDS.txt ------ DDS (Ver_09-10-26.01) - NTFSx86 NETWORK Run by Owner at 22:20:37.85 on Fri 10/30/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.149 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\AVG\AVG9\avgchsvx.exe svchost.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Program Files\Softex\OmniPass\OPXPApp.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\My Documents\Downloads\dds.pif ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com uDefault_Page_URL = hxxp://us9.hpwis.com/ uDefault_Search_URL = hxxp://srch-us9.hpwis.com/ uSearch Bar = hxxp://srch-us9.hpwis.com/ mSearch Bar = hxxp://srch-us9.hpwis.com/ uInternet Connection Wizard,ShellNext = hxxp://us9.hpwis.com/ uInternet Settings,ProxyOverride = 127.0.0.1;localhost BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hewlett-packard\digital imaging\bin\hpdtlk02.dll EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [BackupNotify] c:\program files\hewlett-packard\digital imaging\bin\backupnotify.exe uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\\unload\hpqcmon.exe mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe" mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe mRun: [KBD] c:\hp\kbd\KBD.EXE mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect mRun: [PS2] c:\windows\system32\ps2.exe mRun: [QuickFinder Scheduler] "c:\program files\corel\wordperfect office x4\programs\QFSCHD140.EXE" mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\137903\program\BackWeb-137903.exe IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll LSP: SpSubLSP.dll DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256199578796 DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxsrvc.dll Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tw0zeesi.default\ FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava11.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava12.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava13.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJava32.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPJPI141_02.dll FF - plugin: c:\program files\java\j2re1.4.1_02\bin\NPOJI610.dll FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-28 64288] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-10-25 360584] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232] S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-10-25 333192] S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968] S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480] S2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-10-25 906520] S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-10-25 285392] S2 mrtRate;mrtRate; [x] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408] S3 USB-100;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2009-8-21 23938] =============== Created Last 30 ================ 2009-10-28 18:06:28 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-10-28 18:06:09 0 d-----w- c:\program files\SUPERAntiSpyware 2009-10-28 18:06:09 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com 2009-10-28 09:25:58 15880 ----a-w- c:\windows\system32\lsdelete.exe 2009-10-28 06:53:03 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys 2009-10-28 06:29:35 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2009-10-28 06:26:13 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-10-28 06:25:03 0 d-----w- c:\program files\Lavasoft 2009-10-27 20:29:01 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys 2009-10-27 20:29:01 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys 2009-10-26 15:12:55 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL 2009-10-26 08:21:37 0 d-----w- c:\program files\Trend Micro 2009-10-25 12:33:36 0 d--h--w- C:\$AVG 2009-10-25 12:33:17 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-10-25 12:33:16 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-10-25 12:32:48 0 d-----w- c:\windows\system32\drivers\Avg 2009-10-25 12:32:22 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-10-25 12:32:11 0 d-----w- c:\program files\AVG 2009-10-25 12:32:10 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9 2009-10-24 12:42:06 163840 ----a-w- c:\windows\system32\igfxres.dll 2009-10-24 11:51:43 0 d-sh--w- c:\documents and settings\owner\PrivacIE 2009-10-24 11:32:16 0 d-sh--w- c:\documents and settings\owner\IETldCache 2009-10-24 09:42:29 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-10-24 09:42:27 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2009-10-24 09:42:27 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-10-24 09:42:26 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-10-24 09:42:26 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2009-10-24 09:42:26 11069440 -c----w- c:\windows\system32\dllcache\ieframe.dll 2009-10-24 09:42:15 0 d-----w- c:\windows\ie8updates 2009-10-24 09:41:57 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-10-24 09:39:32 0 dc-h--w- c:\windows\ie8 2009-10-24 05:29:33 0 d-----w- c:\program files\MSXML 4.0 2009-10-24 02:46:07 0 d-----w- c:\windows\system32\CatRoot_bak 2009-10-24 02:34:26 0 d-----w- c:\windows\system32\scripting 2009-10-24 02:34:23 0 d-----w- c:\windows\l2schemas 2009-10-24 02:34:22 0 d-----w- c:\windows\system32\en 2009-10-24 02:27:12 0 d-----w- c:\windows\network diagnostic 2009-10-24 01:55:54 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys 2009-10-24 01:55:18 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll 2009-10-24 01:54:46 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe 2009-10-24 01:54:44 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe 2009-10-24 01:54:43 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe 2009-10-24 01:49:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys 2009-10-24 01:46:44 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx 2009-10-24 01:41:18 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys 2009-10-24 01:36:10 333952 -c----w- c:\windows\system32\dllcache\srv.sys 2009-10-24 01:36:07 331776 -c----w- c:\windows\system32\dllcache\msadce.dll 2009-10-24 01:36:03 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2009-10-24 01:24:41 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll 2009-10-24 01:24:38 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll 2009-10-24 01:19:35 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-10-24 01:19:34 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe 2009-10-24 01:19:34 1203922 -c----w- c:\windows\system32\dllcache\sysmain.sdb 2009-10-24 00:27:59 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys 2009-10-24 00:26:59 310272 -c----w- c:\windows\system32\dllcache\mp43dmod.dll 2009-10-24 00:25:57 33792 -c----w- c:\windows\system32\dllcache\custsat.dll 2009-10-23 17:10:04 0 d-----w- c:\windows\system32\wbem\AutoRecover 2009-10-23 15:31:49 221184 ----a-w- c:\windows\system32\wmpns.dll 2009-10-23 15:30:13 0 d-----w- c:\windows\peernet 2009-10-23 15:30:10 0 d-----w- c:\windows\provisioning 2009-10-23 15:27:07 0 d-----w- c:\windows\ServicePackFiles 2009-10-23 15:18:56 0 d-----w- c:\windows\EHome 2009-10-23 15:10:03 0 d-----w- c:\program files\NortonInstaller 2009-10-23 15:10:03 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller 2009-10-23 11:54:54 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys 2009-10-23 10:09:54 7208 ------w- c:\windows\system32\secupd.sig 2009-10-23 10:09:54 67866 ------w- c:\windows\system32\drivers\netwlan5.img 2009-10-23 10:09:54 4569 ------w- c:\windows\system32\secupd.dat 2009-10-23 10:09:54 11264 ------w- c:\windows\system32\spnpinst.exe 2009-10-23 07:51:33 0 d-----w- c:\docume~1\owner\applic~1\abelhadigital.com 2009-10-23 07:51:28 0 d-----w- c:\program files\HostsMan 2009-10-23 07:04:04 0 d-----w- c:\windows\system32\bits 2009-10-23 06:37:51 0 d-----w- C:\temp 2009-10-23 06:34:14 8192 ------w- c:\windows\system32\bitsprx2.dll 2009-10-23 06:34:14 7168 ------w- c:\windows\system32\bitsprx3.dll 2009-10-23 06:34:14 438784 ----a-w- c:\windows\system32\xpob2res.dll 2009-10-23 06:34:14 354304 ----a-w- c:\windows\system32\winhttp.dll 2009-10-23 06:34:14 18944 ----a-w- c:\windows\system32\qmgrprxy.dll 2009-10-23 06:31:40 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes 2009-10-23 05:24:57 0 d-----w- c:\docume~1\alluse~1\applic~1\abelhadigital.com 2009-10-22 14:35:21 0 d-----w- c:\program files\common files\Wise Installation Wizard 2009-10-22 08:22:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-22 08:22:38 18520 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-22 08:22:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-22 08:22:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-22 08:20:32 31768 ----a-w- c:\windows\system32\wucltui.dll.mui 2009-10-22 08:20:31 23576 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2009-10-22 08:20:31 23576 ----a-w- c:\windows\system32\wuapi.dll.mui 2009-10-22 08:20:31 213528 ----a-w- c:\windows\system32\wuaucpl.cpl 2009-10-22 08:20:31 18456 ----a-w- c:\windows\system32\wuaueng.dll.mui 2009-10-21 16:05:29 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-10-21 16:05:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-10-21 15:59:18 0 d-----w- c:\program files\CCleaner 2009-10-21 05:03:11 0 d-----w- C:\Utils 2009-10-20 14:33:40 384 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg 2009-10-20 14:31:48 448 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg 2009-10-14 01:14:46 0 d-----w- c:\windows\Cookies 2009-10-14 01:13:16 0 d-----w- c:\windows\Recent 2009-10-08 02:09:31 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard 2009-10-08 02:04:42 0 d-----w- c:\program files\common files\iS3 2009-10-08 02:04:29 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla! 2009-10-08 01:00:30 5766726 ----a-w- c:\windows\system32\uactmp.db 2009-10-08 00:33:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files ==================== Find3M ==================== 2009-10-06 18:39:08 3922 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys 2009-10-06 18:38:55 88 --sh--r- c:\docume~1\alluse~1\applic~1\FFBAFE3DA6.sys 2009-09-25 05:37:09 81920 ------w- c:\windows\system32\ieencode.dll 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll 2009-08-19 02:06:02 45056 ----a-w- c:\windows\NCUNINST.EXE 2009-08-18 21:57:57 20454 ----a-w- c:\windows\hpoins01.dat 2009-08-18 21:05:50 3836 ----a-w- c:\windows\viassary-hp.reg 2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 00:44:46 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe 2009-08-04 14:20:08 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe 2008-02-18 07:11:34 18048 ----a-r- c:\windows\inf\SMC2209.SYS 2006-02-06 17:50:18 0 ----a-w- c:\program files\Notes.txt 2006-02-05 01:35:06 75404 ----a-w- c:\program files\PartyPoker.RPT 2004-09-29 18:45:32 26525 ----a-r- c:\windows\inf\SMC2208.SYS 2005-04-03 14:53:12 32 --sha-w- c:\windows\{5971DA00-9E5C-4A39-B34B-16D949E026E4}.dat ============= FINISH: 22:22:20.43 =============== Attached File  Attach.txt   13.39KB   473 downloads

#6 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 03 November 2009 - 12:21 AM

Hi,

As you're using Stopzilla, here is an interesting reading -> http://www.mywot.com...d/stopzilla.com
You can decide for yourself if you still wish to use it.

--Next--

Download and run Win32kDiag:
--Next--

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#7 sdmoore68

sdmoore68

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 04 November 2009 - 01:07 AM

I uninstalled StopZilla! prior to starting this thread. So I guess whatever is left is what is in the list. Win32kDiag did not return much in the text as shown below: ============ Wind32Diag.txt ============== Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished! ======================================= Attached File  Gmer.txt   4.04KB   229 downloads

#8 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 04 November 2009 - 10:58 PM

Hi,

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.
--Next--

Please run another DDS scan for me please.

Logs to post in your next reply:
1. Malwarebytes log.
2. Kaspersky log.
3. DDS logs.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#9 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 06 November 2009 - 11:25 PM

Hi, It's been a few days, do you still need help on this?

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#10 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 09 November 2009 - 03:55 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users