Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

browser interference..

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: browser interference..

Unread postby Bio-Hazard » April 14th, 2009, 4:54 am

Hello!

It didnt work, lets try this instead.


OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:processes
explorer.exe
:services
SoftwareDistributionDrv32
SoftwareDistribution32
:reg
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]
:files
c:\program files\Smart Protector
c:\windows\system32\mlfcache.dat
C:\hpfr3420.xml
C:\hpfr3425.log
C:\WINDOWS\Fonts\mmc.exe
C:\WINDOWS\Fonts\FontsInst.vbs
c:\windows\system32\exitwx.exe
c:\windows\system32\ezsidmv.dat
c:\program files\Common Files\err.log
C:\WINDOWS\system32\drivers\SoftwareDistributionDrv32.sys
C:\Documents and Settings\computer\Cookies\computer@doubleclick[1].txt
C:\Documents and Settings\computer\Cookies\computer@atdmt[1].txt
C:\Documents and Settings\computer\Cookies\computer@ad.yieldmanager[1].txt
:commands
[EmptyTemp]
[start explorer]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3



Malwarebytes' Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the Perform Full Scan option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say The scan completed successfully. Click 'Show Results' to display all objects found.
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Malwarebytes Antimalware Log
  • OTMoveIt log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Re: browser interference..

Unread postby maggieD » April 14th, 2009, 5:41 am

here is one lot of results..sorry posting them seperate as the comp reboots..
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver SoftwareDistributionDrv32 deleted successfully.

Service\Driver SoftwareDistribution32 deleted successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32\\ deleted successfully.
========== FILES ==========
c:\program files\Smart Protector moved successfully.
c:\windows\system32\mlfcache.dat moved successfully.
C:\hpfr3420.xml moved successfully.
C:\hpfr3425.log moved successfully.
C:\WINDOWS\Fonts\mmc.exe moved successfully.
C:\WINDOWS\Fonts\FontsInst.vbs moved successfully.
c:\windows\system32\exitwx.exe moved successfully.
c:\windows\system32\ezsidmv.dat moved successfully.
c:\program files\Common Files\err.log moved successfully.
File/Folder C:\WINDOWS\system32\drivers\SoftwareDistributionDrv32.sys not found.
C:\Documents and Settings\computer\Cookies\computer@doubleclick[1].txt moved successfully.
File/Folder C:\Documents and Settings\computer\Cookies\computer@atdmt[1].txt not found.
File/Folder C:\Documents and Settings\computer\Cookies\computer@ad.yieldmanager[1].txt not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\etilqs_KiY8HmapXzPvxhUza2po scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\Perflib_Perfdata_884.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\Perflib_Perfdata_d3c.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\~DF2305.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\~DF70C2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\~DF70D4.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\~DF8FB2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\computer\LOCALS~1\Temp\~DF8FC4.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\ABsok%2FB%3DGut6AESO5.M-%2FJ%3D1239697754448771%2FK%3Dc4QvKHiyXBns1cpIFTKz_A%2FA%3D5405000%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\B3359091[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\fc[10].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\iframe3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\_;ord=1239698448721681[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\01[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\ADSAdClient31[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\PreLogin[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\md[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[4] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\welcome[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\AccountLogin[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\client_ad[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\st[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\st[2] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\viewtopic[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239698456600663[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239699782765770[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239699788599559[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04142009_191513

Files moved on Reboot...
File C:\DOCUME~1\computer\LOCALS~1\Temp\etilqs_KiY8HmapXzPvxhUza2po not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\Perflib_Perfdata_884.dat not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\Perflib_Perfdata_d3c.dat not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\~DF2305.tmp not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\~DF70C2.tmp not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\~DF70D4.tmp not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\~DF8FB2.tmp not found!
File C:\DOCUME~1\computer\LOCALS~1\Temp\~DF8FC4.tmp not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\ABsok%2FB%3DGut6AESO5.M-%2FJ%3D1239697754448771%2FK%3Dc4QvKHiyXBns1cpIFTKz_A%2FA%3D5405000%2FR%3D0%2F%2A%24,http%3A%2F%2Finsider.msg.yahoo.com%2Fclient_ad[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\B3359091[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\fc[10].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\iframe3[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RUE2JRRJ\_;ord=1239698448721681[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\01[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\ADSAdClient31[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\PreLogin[2].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\RBPG45DQ\st[1] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\md[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[1] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[2] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\st[4] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\88DUZPX2\welcome[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\AccountLogin[2].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\client_ad[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\st[1] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\st[2] not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\viewtopic[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239698456600663[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239699782765770[1].htm not found!
File C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\7FXMI50G\_;ord=1239699788599559[1].htm not found!
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\computer\Local Settings\Application Data\Mozilla\Firefox\Profiles\2z2bhdzn.default\XUL.mfl moved successfully.



sending the next lot ..
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby maggieD » April 14th, 2009, 7:06 am

here is the rest of the logs..the computer is much faster..goes str8 to the browser ..I think its fixed..I let u decide if it is or not..

Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 3

4/14/2009 8:46:15 PM
mbam-log-2009-04-14 (20-46-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164419
Time elapsed: 38 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{d70e28a7-aa79-4d62-a59f-87024840bb62} (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> No action taken.
HKEY_CLASSES_ROOT\sysvol32.Video (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\AppID\sysvol32.dll (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Absolute Poker\aphh.exe (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP256\A0025458.rbf (Rogue.SpyCleaner) -> No action taken.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP256\A0025447.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP262\A0026995.dll (Rogue.SpyCleaner) -> No action taken.
C:\Documents and Settings\computer\Desktop\Unused Desktop Shortcuts\setupxv.exe (Rogue.Installer) -> No action taken.
C:\WINDOWS\Explorer.dmp (Heuristics.Reserved.Word.Exploit) -> No action taken.
......................................................

next one

Malwarebytes' Anti-Malware 1.36
Database version: 1981
Windows 5.1.2600 Service Pack 3

4/14/2009 8:51:38 PM
mbam-log-2009-04-14 (20-51-38).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164419
Time elapsed: 38 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d70e28a7-aa79-4d62-a59f-87024840bb62} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sysvol32.Video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\sysvol32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Absolute Poker\aphh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP256\A0025458.rbf (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP256\A0025447.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{E3526DD8-14EF-42F9-9AC3-CCE322112491}\RP262\A0026995.dll (Rogue.SpyCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\computer\Desktop\Unused Desktop Shortcuts\setupxv.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Explorer.dmp (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
.....................................................

next one

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:00 PM, on 4/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Quick Macros 2\qmserv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Trend Micro Toolbar BHO - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra 'Tools' menuitem: Titan Poker - {49783ED4-258D-4f9f-BE11-137C18D3E543} - C:\Poker\Titan Poker\casino.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Extreme Eraser - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Quick Macros (quickmacros2) - Unknown owner - C:\Program Files\Quick Macros 2\qmserv.exe
O23 - Service: Security Activity Dashboard Service - Trend Micro Inc. - C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5849 bytes
..........................

let me know if its ok now.. and thanks for being so patient ..and u made it so easy to understand..
maggieD
Active Member
 
Posts: 11
Joined: March 9th, 2009, 10:54 pm

Re: browser interference..

Unread postby Bio-Hazard » April 14th, 2009, 2:59 pm

Hello!

let me know if its ok now.. and thanks for being so patient ..and u made it so easy to understand..


We have few more things to do. I need to check that i got it all. You are doing a great job.


Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


Using Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.


random's system information tool (RSIT)

  • Go your C drive and delete this folder C:/rsit - you need to do this step before running RSIT.exe
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt (<<will be maximized)
    • info.txt (<<will be minimized)
  • Post both of these logs in your next reply (Sometimes you have to make several post to get the logs posted.)


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • GMER log
  • RSIT logs, info.txt and log.txt
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: browser interference..

Unread postby Elrond » April 19th, 2009, 12:23 pm

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware