Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help with malware!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help with malware!

Unread postby ej1948 » April 25th, 2009, 10:53 pm

Can anyone help me identify the malware that has slowed my computer to a crawl and redirects to weird pages any time I search the internet? So far I've run MalwareBytes and Vipre. MalwareBytes did not pick up anything; Vipre identified several problems and I had them quarantined but I still have the problem. I've just run Hijack This and here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:07 PM, on 4/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1124679661\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Common Framework\UdaterUI.exe
C:\Common Framework\McTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\mcafee\SHSTAT.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Common Framework\FrameworkService.exe
C:\mcafee\mcshield.exe
C:\mcafee\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\mcafee\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124679661\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCMM2007RT] "C:\Program Files\PC MightyMax 2007\pcmm2007.exe" /R
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [powerdll] AppMasterCenter.exe
O4 - HKCU\..\Run: [ATLIEHELPER] cmon14.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYUS
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F84C6EDD-ABEC-4007-91FE-D1F2F87F8136}: NameServer = 4.2.2.2,4.2.2.3
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\mcafee\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\mcafee\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O24 - Desktop Component 0: (no name) - about:home

--
End of file - 7313 bytes
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm
Advertisement
Register to Remove

Re: Please help with malware!

Unread postby MWR 3 day Mod » April 30th, 2009, 2:43 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Please help with malware!

Unread postby Katana » May 2nd, 2009, 7:19 am

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly Image

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------






Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper






Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Please help with malware!

Unread postby ej1948 » May 3rd, 2009, 11:13 pm

Thank you for your assistance. I am currently traveling on behalf of my organization so I do not have access to my personal computer. I will be back at home Tuesday night and will follow your instructions at that time.
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby ej1948 » May 6th, 2009, 2:22 pm

Katana, thank you for the offer to help. When I tried to access the internet last night my computer would load Windows but stopped transmitting data at that point. I tried off and on for over 7 hours to follow up on your suggestions but I think the machine is thoroughly infected. I will check it when I get home and may have to resort to having Windows reinstalled. I will keep you posted.
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby Katana » May 6th, 2009, 5:50 pm

Do you have a USB/Flash drive that you could use to transfer Combofix to the infected machine ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Please help with malware!

Unread postby ej1948 » May 6th, 2009, 6:23 pm

Yes, I think I can copy it from my work computer and bring it home on my flash drive. I still cannot use the computer in regular mode but was able to load it in safe mode with network support. That is what I'm using now. I ran a quick scan with Vipre and also Hijack This. Is there a better place to respond to you than this forum? I am new to this site so I'm not sure of the protocol. Here is my latest log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:07:13 PM, on 5/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\mcafee\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124679661\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCMM2007RT] "C:\Program Files\PC MightyMax 2007\pcmm2007.exe" /R
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKCU\..\Run: [powerdll] AppMasterCenter.exe
O4 - HKCU\..\Run: [ATLIEHELPER] cmon14.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYUS
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F84C6EDD-ABEC-4007-91FE-D1F2F87F8136}: NameServer = 4.2.2.2,4.2.2.3
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\mcafee\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\mcafee\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O24 - Desktop Component 0: (no name) - about:home

--
End of file - 6361 bytes
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby ej1948 » May 6th, 2009, 10:54 pm

I was able to download and run ComboFix while computer was in safe mode. Once I completed it the computer automatically switched to regular mode. Here is the ComboFix log, followed by the Hijack This list of programs installed:

COMBOFIX LOG

ComboFix 09-05-06.02 - Dell 05/06/2009 22:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2172 [GMT -4:00]
Running from: c:\documents and settings\Dell\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\Application Data\Sskuknwrd.dll
c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\Dell\Application Data\inst.exe
c:\documents and settings\Dell\Application Data\Install.dat
c:\documents and settings\Dell\Application Data\Sskdmns.dll
c:\windows\IE4 Error Log.txt
c:\windows\patch.exe
c:\windows\system32\ad.html

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_MANAGEMENT_SERVICE


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-06 22:53 . 2009-05-06 22:55 -------- d-sh--w c:\documents and settings\Dell\Application Data\lowsec
2009-04-27 07:00 . 2009-04-27 07:00 -------- d-----w c:\program files\MSXML 4.0
2009-04-26 02:33 . 2009-04-26 02:33 -------- d-----w c:\program files\Trend Micro
2009-04-26 01:13 . 2009-03-05 03:30 69936 ----a-w c:\windows\system32\drivers\sbapifs.sys
2009-04-26 01:12 . 2008-09-12 13:38 13360 ----a-w c:\windows\system32\drivers\sbaphd.sys
2009-04-25 16:57 . 2009-04-25 16:57 -------- d-----w c:\documents and settings\All Users\Application Data\Sunbelt
2009-04-25 16:56 . 2009-04-25 16:56 -------- d-----w c:\documents and settings\Dell\Application Data\Sunbelt
2009-04-25 16:54 . 2008-10-09 14:21 202928 ----a-w c:\windows\system32\drivers\sbtis.sys
2009-04-25 16:53 . 2009-04-25 16:53 -------- d-----w c:\program files\Sunbelt Software
2009-04-25 03:18 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-25 03:18 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-25 03:18 . 2009-04-25 03:18 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-19 00:10 . 2009-04-19 00:10 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-19 00:10 . 2009-04-19 00:10 -------- d-----w c:\windows\system32\IOSUBSYS
2009-04-16 04:13 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 04:13 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 04:13 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 04:13 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 04:13 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 04:13 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 04:13 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 04:13 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 04:13 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 04:02 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 04:02 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-22 16:56 . 2007-06-22 02:43 -------- d-----w c:\program files\Java
2009-04-19 00:10 . 2008-06-19 03:54 -------- d-----w c:\program files\Google
2009-04-11 09:11 . 2007-06-10 23:24 -------- d-----w c:\program files\AOL 9.0
2009-03-29 05:28 . 2009-03-13 22:42 -------- d-----w c:\program files\DeductionPro 2008
2009-03-17 17:26 . 2009-03-17 17:26 65320 ----a-w c:\windows\system32\sbbd.exe
2009-03-13 22:42 . 2004-09-17 19:25 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-13 22:40 . 2009-03-13 22:37 -------- d-----w c:\program files\TaxCut08
2009-03-09 09:19 . 2008-11-23 12:19 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2002-06-25 21:44 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2002-03-05 12:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2002-06-25 21:40 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-09-17 20:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2002-06-25 21:43 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2002-06-25 21:43 387584 ----a-r c:\documents and settings\Dell\Application Data\sdra64.exe
2009-02-09 12:10 . 2002-06-25 21:36 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2002-06-25 21:50 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-07 23:02 . 2002-06-25 21:43 2066048 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:11 . 2002-06-25 21:45 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:08 . 2002-06-25 21:43 2189056 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2002-06-25 21:45 35328 ----a-w c:\windows\system32\sc.exe
2008-12-02 04:07 . 2008-12-02 03:50 27462344 ----a-w c:\program files\setupeng.exe
2008-11-30 06:06 . 2008-11-30 06:06 23804784 ----a-w c:\program files\aaw2008.exe
2008-09-18 03:01 . 2008-09-18 03:01 15327629 ----a-w c:\program files\My birthday DVD.vpc
2008-09-14 02:37 . 2008-09-14 02:37 10367496 ----a-w c:\program files\vsophotodvd_setup.exe
2008-01-20 03:48 . 2008-01-20 01:59 32213504 ----a-w c:\program files\virusscan85i_troy.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AOL Fast Start"="c:\program files\AOL 9.0\AOL.EXE" [2007-04-18 50736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"HostManager"="c:\program files\Common Files\AOL\1124679661\ee\AOLSoftware.exe" [2008-06-24 41824]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-03-29 290816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"McAfeeUpdaterUI"="c:\common framework\UdaterUI.exe" [2006-12-19 136768]
"ShStatEXE"="c:\mcafee\SHSTAT.EXE" [2007-02-23 112216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2009-03-17 955688]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-07-28 323584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124679661\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1124679661\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/25/2009 9:12 PM 13360]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [4/25/2009 12:54 PM 202928]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/25/2009 9:13 PM 69936]
S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [3/17/2009 1:26 PM 894248]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/22/2008 5:08 PM 92464]

--- Other Services/Drivers In Memory ---

*Deregistered* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKCU-Run-powerdll - AppMasterCenter.exe
HKCU-Run-ATLIEHELPER - cmon14.exe
HKLM-Run-PCMM2007RT - c:\program files\PC MightyMax 2007\pcmm2007.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://msn.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &Search - ?p=ZUxdm265YYUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: colonialchem.com\colonialchem2
TCP: {F84C6EDD-ABEC-4007-91FE-D1F2F87F8136} = 4.2.2.2,4.2.2.3
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-06 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3552)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-07 22:35
ComboFix-quarantined-files.txt 2009-05-07 02:35

Pre-Run: 63,120,142,336 bytes free
Post-Run: 63,095,418,880 bytes free

182 --- E O F --- 2009-04-29 07:06


HIJACK THIS UNINSTALL LOG

ABBYY FineReader 5.0 Sprint Plus
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.0
AOL Explorer
AOL Instant Messenger
AOL Uninstaller (Choose which Products to Remove)
Apple Mobile Device Support
BCM V.92 56K Modem
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DeductionPro 2007
DeductionPro 2008
Dell Photo AIO Printer 922
Dell ResourceCD
Easy CD Creator 5 Basic
FaxTools
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
LimeWire
LimeWire 4.18.8
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
MSN Music Assistant
MSXML 4.0 SP2 (KB954430)
NVIDIA Windows 2000/XP Display Drivers
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
PhotoDVD 2.9.6.1d
Picasa 3
QuickTime
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Serif PagePlus SE 1.0
SoundMAX
TaxCut Georgia 2007
TaxCut Georgia 2008
TaxCut Premium + State + Efile 2008
TaxCut Premium + State 2007
TechConnect
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Defender
Windows Live installer
Windows Live Mail
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby Katana » May 7th, 2009, 9:32 am

That looks better, how are things running now ?



REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire
LimeWire 4.18.8


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.



AntiVirus
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
AV: Sunbelt VIPRE *On-access scanning enabled* (Updated)

First you should know that you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
Now close the Control Panel.



----------------------------------------------------------- -----------------------------------------------------------

If you have internet connection in normal mode, please do the following


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Please post a fresh HJT log along with the Kaspersky log ( if you can get it )
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Please help with malware!

Unread postby jsmac43 » May 7th, 2009, 10:38 am

"Thank you so much for helping me". I was able to find Java in the Add/Remove program and remove it. But there is no listing for Lime Wire in the Add/Remove programs. Also I thought I had remove my previous antivirus which was Avast. I had Norton before that. I've never had McAfee in this computer.
I'm very timid about removing any antivirus software. I'm terrible with pc language and so afraid of deleting something I need currently. Can you help me get rid of all antivirus programs EXCEPT for AVG? Is Live Update [Symantec Corp] part of AVG or do I need to remove it also? Sorry I'm not better at this. Will wait to run the scan you asked for until I get these issues settled. jsmac43
jsmac43
Regular Member
 
Posts: 24
Joined: May 6th, 2009, 3:26 pm

Re: Please help with malware!

Unread postby ej1948 » May 7th, 2009, 11:08 am

jsmac, I believe you read the wrong instructions. Katana's information is for MY computer, ej1948.
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby ej1948 » May 7th, 2009, 11:14 am

Katana:

Just after I posted my last log the computer stopped working again. I went back to safe mode and ran MalwareBytes but it didn't find anything. I ran Vipre and it found a low-risk Cookie and a high risk file that allowed the computer to be accessed remotely. I don't remember the name (I can look when I get home) but I had it removed, along with the Cookie.

I will print your last instructions and follow them exactly. I will post the results.

Thank you SO much for helping me.
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby Katana » May 7th, 2009, 3:55 pm

@ jsmac, .... ej1948 is correct, you shouldn't follow the instructions in this thread.


@ ej1948 ... I will wait for the Kaspersky log :)
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Please help with malware!

Unread postby ej1948 » May 7th, 2009, 11:15 pm

At first I could not run the computer in normal mode so I restarted in safe mode and deleted both P2P files and I also deleted MalwareBytes. I was then able to start in normal mode and connect to the internet. I deleted the Java programs you identified and followed the remainder of your instructions exactly, to include disabling Vipre and McAfee. I have now re-enabled McAfee and left Vipre on my machine but in disabled mode. Here is the lates HJT file, followed by the Kaspersky file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:20 PM, on 5/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\AOL\1124679661\ee\AOLSoftware.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Common Framework\UdaterUI.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\mcafee\SHSTAT.EXE
C:\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Common Framework\FrameworkService.exe
C:\mcafee\mcshield.exe
C:\mcafee\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\mcafee\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124679661\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ShStatEXE] "C:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0\AOL.EXE" -b
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - ?p=ZUxdm265YYUS
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F84C6EDD-ABEC-4007-91FE-D1F2F87F8136}: NameServer = 4.2.2.2,4.2.2.3
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\mcafee\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\mcafee\vstskmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O24 - Desktop Component 0: (no name) - about:home

--
End of file - 7425 bytes



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 7, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, May 07, 2009 22:07:56
Records in database: 2142072
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 68044
Threat name: 15
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 01:13:55


File name / Threat name / Threats count
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048928.EXE.bac_a03364 Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048929.dll.bac_a03364 Infected: Trojan-Spy.Win32.Small.eu 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048930.exe.bac_a03364 Infected: Trojan.Win32.Small.hf 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048931.dll.bac_a03364 Infected: Trojan-Spy.Win32.Small.eu 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048932.exe.bac_a03364 Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048933.exe.bac_a03364 Infected: not-a-virus:AdWare.Win32.NewDotNet.e 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048934.exe.bac_a03364 Infected: Trojan.Win32.Favadd.ar 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048935.exe.bac_a03364 Infected: Trojan.Win32.Small.gq 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048936.exe.bac_a03364 Infected: Trojan-Downloader.Win32.Harnig.bb 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0048937.exe.bac_a03364 Infected: Trojan-Mailfinder.Win32.Mailbot.ag 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050921.exe.bac_a03364 Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050934.exe.bac_a03364 Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050952.exe.bac_a03364 Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050981.exe.bac_a03364 Infected: not-a-virus:FraudTool.Win32.SpySheriff.a 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050982.dll.bac_a03364 Infected: not-a-virus:FraudTool.Win32.SpySheriff.a 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050983.dll.bac_a03364 Infected: not-a-virus:FraudTool.Win32.SpySheriff.a 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050984.dll.bac_a03364 Infected: not-a-virus:FraudTool.Win32.SpySheriff.a 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\A0050985.dll.bac_a03364 Infected: not-a-virus:FraudTool.Win32.SpySheriff.a 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\ad.html.bac_a04504 Infected: Trojan-Clicker.JS.Agent.e 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\favset.exe.bac_a04504 Infected: Trojan.Win32.Favadd.ar 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\howiper.exe.bac_a04504 Infected: Trojan.Win32.Small.gq 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\ibm00001.dll.bac_a04504 Infected: Trojan-Spy.Win32.Small.eu 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\ibm00001.exe.bac_a04504 Infected: Trojan.Win32.Small.hf 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\ibm00002.dll.bac_a04504 Infected: Trojan-Spy.Win32.Small.eu 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\izidi.exe.bac_a03896 Infected: Trojan.Win32.DNSChanger.hd 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\scmt16.exe.bac_a04504 Infected: Trojan-Downloader.Win32.Harnig.bb 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\tool1.exe.bac_a04504 Infected: Trojan-Mailfinder.Win32.Mailbot.ag 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\xpupdate.exe.bac_a03364 Infected: Hoax.Win32.Renos.gs 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\{3FC72DE0-2665-4118-A4E3-DDCC2BD8A49F}.exe.bac_a01860 Infected: Trojan-Downloader.Win32.Agent.uj 1
C:\Documents and Settings\Dell\.housecall6.6\Quarantine\{82030C4E-C0A1-4348-8692-CD73B32BE3A3}.exe.bac_a03364 Infected: Hoax.Win32.Renos.gs 1
C:\Documents and Settings\Dell\Application Data\sdra64.exe Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\_ialhib_.tky.zip Infected: Trojan.Win32.Small.aarn 1

The selected area was scanned.
ej1948
Regular Member
 
Posts: 50
Joined: April 25th, 2009, 10:45 pm

Re: Please help with malware!

Unread postby Katana » May 8th, 2009, 4:37 am

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&t=42271
    Comment:: Katana
    Collect::[4]
    C:\Documents and Settings\Dell\Application Data\sdra64.exe
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UserFaultCheck"=-
    "SunJavaUpdateSched"=-
    
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"=-
    ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Please reboot a couple of times and make sure you can get to normal mode.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 13 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware