39 replies to this topic

[mekap04]

I just found out today that my sis visited a site and now I have some spyware. I removed the spyware using malwarebytes. But when I visit google.com, it redirects me to google.de and then when I try to login it says something about invalid security certificate and then 5 minutes ago while online, another virus pop up popped up and I exited the browser. Ive scanned with avir antivirus, malware bytes, super antispyware, and it still cant find it. Can anyone help me? Ive checked date and time and they are correct, cleared cookies, and I even downloaded spybot but it wont run for some reason just like my antivirus did a while ago until I ran malware bytes and got some of the malware off my computer.

Here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:52 AM, on 11/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 88.198.198.202 google.ae
O1 - Hosts: 88.198.198.202 google.as
O1 - Hosts: 88.198.198.202 google.at
O1 - Hosts: 88.198.198.202 google.az
O1 - Hosts: 88.198.198.202 google.ba
O1 - Hosts: 88.198.198.202 google.be
O1 - Hosts: 88.198.198.202 google.bg
O1 - Hosts: 88.198.198.202 google.bs
O1 - Hosts: 88.198.198.202 google.ca
O1 - Hosts: 88.198.198.202 google.cd
O1 - Hosts: 88.198.198.202 google.com.gh
O1 - Hosts: 88.198.198.202 google.com.hk
O1 - Hosts: 88.198.198.202 google.com.jm
O1 - Hosts: 88.198.198.202 google.com.mx
O1 - Hosts: 88.198.198.202 google.com.my
O1 - Hosts: 88.198.198.202 google.com.na
O1 - Hosts: 88.198.198.202 google.com.nf
O1 - Hosts: 88.198.198.202 google.com.ng
O1 - Hosts: 88.198.198.202 google.ch
O1 - Hosts: 88.198.198.202 google.com.np
O1 - Hosts: 88.198.198.202 google.com.pr
O1 - Hosts: 88.198.198.202 google.com.qa
O1 - Hosts: 88.198.198.202 google.com.sg
O1 - Hosts: 88.198.198.202 google.com.tj
O1 - Hosts: 88.198.198.202 google.com.tw
O1 - Hosts: 88.198.198.202 google.dj
O1 - Hosts: 88.198.198.202 google.de
O1 - Hosts: 88.198.198.202 google.dk
O1 - Hosts: 88.198.198.202 google.dm
O1 - Hosts: 88.198.198.202 google.ee
O1 - Hosts: 88.198.198.202 google.fi
O1 - Hosts: 88.198.198.202 google.fm
O1 - Hosts: 88.198.198.202 google.fr
O1 - Hosts: 88.198.198.202 google.ge
O1 - Hosts: 88.198.198.202 google.gg
O1 - Hosts: 88.198.198.202 google.gm
O1 - Hosts: 88.198.198.202 google.gr
O1 - Hosts: 88.198.198.202 google.ht
O1 - Hosts: 88.198.198.202 google.ie
O1 - Hosts: 88.198.198.202 google.im
O1 - Hosts: 88.198.198.202 google.in
O1 - Hosts: 88.198.198.202 google.it
O1 - Hosts: 88.198.198.202 google.ki
O1 - Hosts: 88.198.198.202 google.la
O1 - Hosts: 88.198.198.202 google.li
O1 - Hosts: 88.198.198.202 google.lv
O1 - Hosts: 88.198.198.202 google.ma
O1 - Hosts: 88.198.198.202 google.ms
O1 - Hosts: 88.198.198.202 google.mu
O1 - Hosts: 88.198.198.202 google.mw
O1 - Hosts: 88.198.198.202 google.nl
O1 - Hosts: 88.198.198.202 google.no
O1 - Hosts: 88.198.198.202 google.nr
O1 - Hosts: 88.198.198.202 google.nu
O1 - Hosts: 88.198.198.202 google.pl
O1 - Hosts: 88.198.198.202 google.pn
O1 - Hosts: 88.198.198.202 google.pt
O1 - Hosts: 88.198.198.202 google.ro
O1 - Hosts: 88.198.198.202 google.ru
O1 - Hosts: 88.198.198.202 google.rw
O1 - Hosts: 88.198.198.202 google.sc
O1 - Hosts: 88.198.198.202 google.se
O1 - Hosts: 88.198.198.202 google.sh
O1 - Hosts: 88.198.198.202 google.si
O1 - Hosts: 88.198.198.202 google.sm
O1 - Hosts: 88.198.198.202 google.sn
O1 - Hosts: 88.198.198.202 google.st
O1 - Hosts: 88.198.198.202 google.tl
O1 - Hosts: 88.198.198.202 google.tm
O1 - Hosts: 88.198.198.202 google.tt
O1 - Hosts: 88.198.198.202 google.us
O1 - Hosts: 88.198.198.202 google.vu
O1 - Hosts: 88.198.198.202 google.ws
O1 - Hosts: 88.198.198.202 google.co.ck
O1 - Hosts: 88.198.198.202 google.co.id
O1 - Hosts: 88.198.198.202 google.co.il
O1 - Hosts: 88.198.198.202 google.co.in
O1 - Hosts: 88.198.198.202 google.co.jp
O1 - Hosts: 88.198.198.202 google.co.kr
O1 - Hosts: 88.198.198.202 google.co.ls
O1 - Hosts: 88.198.198.202 google.co.ma
O1 - Hosts: 88.198.198.202 google.co.nz
O1 - Hosts: 88.198.198.202 google.co.tz
O1 - Hosts: 88.198.198.202 google.co.ug
O1 - Hosts: 88.198.198.202 google.co.uk
O1 - Hosts: 88.198.198.202 google.co.za
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 11566 bytes

[Raktor]

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

• Absence of symptoms does not always mean the computer is clean
• Please do not run any scans or fixes without my direction.
• Finally, stay with this topic until I give you the final 'All clear' post.

1) Disable Spybot S&D's Teatimer

• If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol)
• Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless
• Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy
• Click on Mode > Advanced Mode. When it prompts you, click Yes
• On the left hand side, click on Tools
• Check this box if it is not yet ticked: Resident
• You will notice that Resident is now added under Tools. Click on Resident
• Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active
• Exit Spybot Search & Destroy
• Restart your computer for the changes to take effect

Leave TeaTimer disabled until we're done here.

2) HostsXpert
Please download HostsXpert

• Unzip HostsXpert to it's own folder a convenient place such as C:\HostsXpert
• Run HostsXpert.exe
• Click: Make Writable? in the upper left corner.
• Click: Restore MVPs Hosts
• Click: Replace
• Click: OK
• Click: Make ReadOnly
• Close HostsXpert.

3) DDS

Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  
  • DDS.txt
  • Attach.txt
• Save both reports to your desktop.

4) RootRepeal
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...

• Right click on RootRepeal.zip and select "Extract All"....
• Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
• Click on the Browse...button, then click on Desktop, then click OK.
• Once done, check (tick) the Show extracted files box and click Finish.
• Before running RootRepeal:
  • Disconnect from the Internet as your system will be unprotected while using this tool.
    Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
• Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
• When the program opens, click the Report tab at the bottom, then click the Scan button.
• In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
  
• Click OK.
• In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  The scan can take some time to finish. Do not use the computer while the scan is running.
  When the scan has completed, a list of files will be generated in the RootRepeal window.
• Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
• Close and exit RootRepeal
• Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

5) What You Will Need To Post:

• DDS logs
• RootRepeal log

[mekap04]

DDS (Ver_09-10-26.01) - NTFSx86 Run by user at 14:59:38.87 on Sat 11/21/2009 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.138 [GMT -5:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\user\My Documents\Downloads\dds.scr ============== Pseudo HJT Report =============== BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect mRun: [AlcxMonitor] ALCXMNTR.EXE mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe" IFEO: image file execution options - svchost.exe IFEO: brastk.exe - svchost.exe ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\qd1bjozu.default\ FF - prefs.js: browser.search.selectedEngine - search FF - prefs.js: browser.startup.homepage - yahoo.com FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-21 108289] R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408] S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero 7\incd\nbhregincdsrv.exe --> c:\program files\nero\nero 7\incd\NBHRegInCDSrv.exe [?] =============== Created Last 30 ================ 2009-11-21 08:47:44 0 d-----w- c:\program files\Trend Micro 2009-11-21 08:28:28 0 d-----w- c:\program files\Spybot - Search & Destroy 2009-11-21 08:28:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-11-21 06:03:32 0 d-----w- c:\windows\pss 2009-11-21 05:27:19 0 d-----w- c:\program files\Avira 2009-11-21 05:27:19 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira 2009-11-21 02:43:12 0 d-sh--w- c:\docume~1\alluse~1\applic~1\c130fcf 2009-11-16 01:26:10 0 d-----w- c:\program files\Market Samurai 2009-11-12 02:18:57 0 d-----w- c:\program files\Citrix 2009-11-12 02:18:36 70984 ----a-w- c:\documents and settings\user\g2mdlhlpx.exe 2009-11-11 03:11:14 0 d-----w- C:\368c71f81ad8f6e6975a4ba7cce37c 2009-11-04 08:06:14 0 d-----w- c:\docume~1\user\applic~1\KompoZer 2009-11-04 07:58:46 0 d-----w- c:\docume~1\user\applic~1\kompozer.net 2009-11-04 03:32:46 0 d-----w- c:\docume~1\user\applic~1\OpenOffice.org 2009-11-04 03:29:09 0 d-----w- c:\program files\JRE 2009-11-04 03:27:46 0 d-----w- c:\program files\OpenOffice.org 3 2009-11-04 03:27:04 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-10-26 12:48:27 0 d-----w- c:\docume~1\user\applic~1\Gamelab 2009-10-23 21:37:00 0 d-----w- c:\program files\Windows Media Connect 2 2009-10-23 21:34:59 0 d-----w- c:\windows\system32\LogFiles 2009-10-23 13:56:07 0 d-----w- c:\docume~1\user\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1 ==================== Find3M ==================== 2009-09-18 03:03:14 50596 ---ha-w- c:\windows\system32\mlfcache.dat 2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll 2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll 2009-09-02 02:49:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat 2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll 2009-08-29 07:36:24 78336 ------w- c:\windows\system32\ieencode.dll 2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll 2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll ============= FINISH: 15:00:06.26 =============== ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/21 15:07 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF57F8000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79BF000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF3282000 Size: 49152 File Visible: No Signed: - Status: - SSDT ------------------- #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0xf7b6d5c6 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf7b6d5bc #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xf7b6d5cb #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xf7b6d5d5 #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xf7b6d5da #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf7b6d5a8 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf7b6d5ad #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xf7b6d5e4 #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xf7b6d5df #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xf7b6d5d0 #: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf59be0b0 ==EOF== I couldnt complete step 2. It says your host file is marked as a system file and can not be manipulated. I pressed OK but was unable to click the make writeable button, restore mvp hosts, etc

[Raktor]

1) Batch Fix
Launch Notepad, and copy/paste everything in the codebox below into the new document. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as runme.bat.

@echo off
attrib -r -h -s "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
del /q /f "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
echo 127.0.0.1 localhost > "C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS"
del %0

Double click on runme.bat

Then run a new HJT scan for me, and post the log.

[mekap04]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:59 PM, on 11/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7109 bytes

[Raktor]

Brilliant.

Download Combofix to your desktop from any of the links below.

Link 1
Link 2


==================================

Disable all antivirus programs, then double click on ComboFix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[mekap04]

ComboFix 09-11-21.01 - user 11/21/2009 21:50.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.255 [GMT -5:00]
Running from: c:\documents and settings\user\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-21 20:27 . 2009-11-21 20:27 -------- d-----w- C:\_OTL
2009-11-21 08:47 . 2009-11-21 08:47 -------- d-----w- c:\program files\Trend Micro
2009-11-21 08:28 . 2009-11-21 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-21 08:28 . 2009-11-21 08:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-21 05:27 . 2009-03-30 15:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-11-21 05:27 . 2009-02-13 17:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-11-21 05:27 . 2009-02-13 17:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-11-21 05:27 . 2009-11-21 05:27 -------- d-----w- c:\program files\Avira
2009-11-21 05:27 . 2009-11-21 05:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-11-16 01:26 . 2009-11-16 01:26 -------- d-----w- c:\program files\Market Samurai
2009-11-13 03:09 . 2008-04-14 12:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-11-12 02:18 . 2009-11-12 02:18 -------- d-----w- c:\program files\Citrix
2009-11-12 02:18 . 2009-11-12 02:18 70984 ----a-w- c:\documents and settings\user\g2mdlhlpx.exe
2009-11-12 02:18 . 2009-11-12 02:18 -------- d-----w- c:\windows\Sun
2009-11-11 03:11 . 2009-11-11 03:13 -------- d-----w- C:\368c71f81ad8f6e6975a4ba7cce37c
2009-11-04 08:06 . 2009-11-04 08:06 -------- d-----w- c:\documents and settings\user\Application Data\KompoZer
2009-11-04 07:58 . 2009-11-04 07:58 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\kompozer.net
2009-11-04 07:58 . 2009-11-04 07:58 -------- d-----w- c:\documents and settings\user\Application Data\kompozer.net
2009-11-04 03:33 . 2009-11-10 00:47 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-04 03:32 . 2009-11-04 03:32 -------- d-----w- c:\documents and settings\user\Application Data\OpenOffice.org
2009-11-04 03:29 . 2009-11-04 03:29 -------- d-----w- c:\program files\JRE
2009-11-04 03:27 . 2009-11-04 03:29 -------- d-----w- c:\program files\OpenOffice.org 3
2009-11-04 03:27 . 2009-11-04 03:26 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-26 12:48 . 2009-10-26 12:48 -------- d-----w- c:\documents and settings\user\Application Data\Gamelab
2009-10-26 12:48 . 2009-10-27 04:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-23 21:37 . 2009-10-23 21:37 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-23 21:34 . 2009-10-23 21:35 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-10-23 21:34 . 2009-10-23 21:34 -------- d-----w- c:\windows\system32\LogFiles
2009-10-23 13:56 . 2009-10-23 13:56 -------- d-----w- c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-18 08:27 . 2009-09-02 15:50 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-18 08:25 . 2009-09-02 15:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-04 08:41 . 2009-09-02 03:19 68544 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-26 02:08 . 2009-09-03 00:01 -------- d-----w- c:\program files\Power Article Rewriter
2009-10-15 04:29 . 2009-09-02 16:04 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 12:20 . 2009-09-02 15:54 -------- d-----w- c:\program files\Siber Systems
2009-10-12 05:46 . 2009-10-04 00:34 -------- d-----w- c:\documents and settings\user\Application Data\GoodSync
2009-09-26 11:59 . 2009-09-19 05:29 -------- d-----w- c:\program files\SENuke
2009-09-24 02:49 . 2009-09-24 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-24 02:47 . 2009-09-24 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-24 02:47 . 2009-09-24 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-09-18 03:03 . 2009-09-18 03:03 50596 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-17 23:25 . 2009-09-17 23:25 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-11 14:18 . 2001-08-23 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 22:54 . 2009-09-10 22:54 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-10 22:54 . 2009-09-02 16:04 38208 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-10 18:54 . 2009-09-02 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-09-02 15:42 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 16:02 . 2009-09-02 16:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-09-02 15:47 . 2009-09-02 15:47 0 ----a-w- c:\windows\nsreg.dat
2009-09-02 13:59 . 2009-09-02 02:51 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-09-02 02:49 . 2009-09-02 02:49 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-29 07:36 . 2001-08-23 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-09-02 03:12 78336 ------w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2001-08-23 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2001-08-23 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-18 2001648]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-09-26 160592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-02-23 3026944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-02-23 753664]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-26 09:16 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\user\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 6:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 6:06 PM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/21/2009 12:27 AM 108289]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 6:06 PM 7408]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe --> c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\qd1bjozu.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-21 21:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2572)
c:\windows\system32\WININET.dll
c:\windows\system32\nView.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-21 21:56
ComboFix-quarantined-files.txt 2009-11-22 02:56
ComboFix2.txt 2009-11-21 22:58
ComboFix3.txt 2009-11-21 21:59

Pre-Run: 67,515,445,248 bytes free
Post-Run: 67,483,205,632 bytes free

- - End Of File - - 89C739124CAE7DC14E3656D7D26A9F57

[Raktor]

1) MBAM
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected .
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

2) ESET
You can use either Internet Explorer or Mozilla FireFox for this scan.

• Please go here then click on:
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

• • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

3) What You Will Need To Post:

• MBAM log
• ESET log
• Contents of C:\Qoobox\Add-Remove Programs.txt

[mekap04]

Malwarebytes' Anti-Malware 1.41 Database version: 3217 Windows 5.1.2600 Service Pack 3 11/23/2009 1:55:45 AM mbam-log-2009-11-23 (01-55-45).txt Scan type: Quick Scan Objects scanned: 98609 Time elapsed: 11 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) The online scanner kept stalling for me

[Raktor]

Try this one then.

Please do a scan with the Kaspersky Online Scanner

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a long time, so be patient and let it run. (At times it may appear to stall)
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Once the scan is complete, click on View scan report

To obtain the report:

• Click on Save Report As
• In the Save as prompt, Save in area, select: Desktop
• In the File name area, use KScan, or something similar
• In Save as type, click the drop arrow and select Text file [*.txt]
• Click Save

(Note for Internet Explorer users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75%. Once the license has been accepted, reset to 100%.)

[mekap04]

Thanks for replying to my other thread. Here is the results from the online scan.

Attached Files

•  kasperky.html   3.14KB   15 downloads

[Raktor]

Download MGADiag to your desktop.

• Double-click on MGADiag.exe to launch the program.
• Click Continue.
• Ensure that the Windows tab is selected (it should be by default).
• Click the Copy button to copy the MGA Diagnostic Report to the Windows clipboard.
• Paste the MGA Diagnostic Report back here in your next reply.

[mekap04]

Diagnostic Report (1.9.0011.0): ----------------------------------------- WGA Data--> Validation Status: Invalid Product Key Validation Code: 8 Cached Validation Code: N/A Windows Product Key: *****-*****-MGCP8-BG48K-WPWBY Windows Product Key Hash: lzoyK6Iuz4Ct+ODMrG0zetoK65k= Windows Product ID: 55274-640-2669525-23251 Windows Product ID Type: 1 Windows License Type: Volume Windows OS version: 5.1.2600.2.00010100.3.0.pro ID: {F69A077E-F1EB-4C60-8E15-931AE12C80FE}(3) Is Admin: Yes TestCab: 0x0 WGA Version: Registered, 1.9.40.0 Signed By: Microsoft Product Name: N/A Architecture: N/A Build lab: N/A TTS Error: N/A Validation Diagnostic: 025D1FF3-230-1 Resolution Status: N/A WgaER Data--> ThreatID(s): N/A Version: N/A WGA Notifications Data--> Cached Result: 8 File Exists: Yes Version: 1.9.40.0 WgaTray.exe Signed By: Microsoft WgaLogon.dll Signed By: Microsoft OGA Notifications Data--> Cached Result: N/A, hr = 0x80070002 Version: N/A, hr = 0x80070002 OGAExec.exe Signed By: N/A, hr = 0x80070002 OGAAddin.dll Signed By: N/A, hr = 0x80070002 OGA Data--> Office Status: 114 Blocked VLK 2 Microsoft Office Professional Edition 2003 - 114 Blocked VLK 2 OGA Version: N/A, 0x80070002 Signed By: N/A, hr = 0x80070002 Office Diagnostics: 025D1FF3-230-1 Browser Data--> Proxy settings: N/A User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32) Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe Download signed ActiveX controls: Prompt Download unsigned ActiveX controls: Disabled Run ActiveX controls and plug-ins: Allowed Initialize and script ActiveX controls not marked as safe: Disabled Allow scripting of Internet Explorer Webbrowser control: Disabled Active scripting: Allowed Script ActiveX controls marked as safe for scripting: Allowed File Scan Data--> Other data--> Office Details: <GenuineResults><MachineData><UGUID>{F69A077E-F1EB-4C60-8E15-931AE12C80FE}</UGUID><Version>1.9.0011.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-WPWBY</PKey><PID>55274-640-2669525-23251</PID><PIDType>1</PIDType><SID>S-1-5-21-515967899-616249376-725345543</SID><SYSTEM><Manufacturer>Compaq Presario 061</Manufacturer><Model>DK301A-ABA S4500NX NA210</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>3.17 </Version><SMBIOSVersion major="2" minor="3"/><Date>20040224000000.000000+000</Date></BIOS><HWID>4D0837570184A05F</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>114</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>59D1605114E3500</Val><Hash>vfZmaSmFPIYrLWTcZSZErUQg+Fo=</Hash><Pid>73931-640-0000106-57156</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="114"/><App Id="16" Version="11" Result="114"/><App Id="18" Version="11" Result="114"/><App Id="19" Version="11" Result="114"/><App Id="1A" Version="11" Result="114"/><App Id="1B" Version="11" Result="114"/><App Id="44" Version="11" Result="114"/></Applications></Office></Software></GenuineResults> Licensing Data--> N/A HWID Data--> N/A OEM Activation 1.0 Data--> BIOS string matches: yes Marker string from BIOS: 104EA:Compaq Computer Corporation|1A789:Hewlett-Packard Company Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005 OEM Activation 2.0 Data--> N/A

[Raktor]

http://social.micros...d9-d35e898ab7d9

You've already posted at the link above. If you are going to format, there is not much point in continuing this malware removal. Formatting seems like the best way to resolve your license key issue.

Let me know what you've decided to do.

[mekap04]

what is format? Im just trying to see if the virus is what caused it because that what I think it. I dont want to format or buy a new liscence so I was trying to go through all my options with getting a genuine copy of windows xp as my last option. I really don't know what they mean when they replied to that post so Im a little lost on what to do. What would you recommend?