Jump to content

Recommended Posts

Hi

I am picking up from a similar thread.

I was running Avast and ZoneAlarm. Recent upgrades to both were slowing my PC down.

Switched to Microsoft Essentials and Windows Firewall last week.

Within a couple of days I got hit with "AV Protection 2011" which is "scareware". Acts like anti-virus but produces a load of realistic looking false warnings, shuts down apps, and offers to "sell" you the fix and protection. What a scam!

I ran repeated scans with MBAM, Spybot S&D, Superantispyware, and Microsoft Essentials, until there were zero bad items (there were many to remove). Now My PC seems to run OK, all apps open, no more warnings. However, I did see that both Firefox and IE were getting many re-directs. I engaged Microsoft Essentials and MBAM. Now MBAM gives constant warnings that it is blocking outgoing attempts to access bad addresses.

Here is more info and my logs from the DDS app like you requested from a previous similar thread.

running windows XP2000 (Dell dimension 4600 desktop)

32bit

SP3

running MBAM free 1.51.0.1118,

Microsoft Security essentials 2.1.1116

and Windows Firewall

No P2P (I have old versions of Limewire and uTorrent installed but they are not in use, inactive)

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by ok at 16:00:59 on 2011-11-23

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.353 [GMT -5:00]

.

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Smith Micro\StuffIt 2010\ArcNameService.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\System32\ping.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

mWinlogon: Userinit=c:\windows\system32\userinit.exe

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - No File

TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000325.dll

{555d4d79-4bd2-4094-a395-cfc534424a05}

EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration304000026.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter

uRun: [sonic RecordNow!]

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Google Update] "c:\documents and settings\ok\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

LSP: mswsock.dll

Trusted Zone: aol.com\free

Trusted Zone: netflix.com\www

Trusted Zone: taxactonline.com\www

DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\ok\application data\mozilla\firefox\profiles\6x1mybng.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\ok\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: c:\program files\picasa2\npPicasa2.dll

FF - plugin: c:\program files\picasa2\npPicasa3.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll

FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll

.

============= SERVICES / DRIVERS ===============

.

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]

R1 MpKsl6f5b6914;MpKsl6f5b6914;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c5f9bb5d-266f-40ae-b2f5-e8b4be7a230f}\MpKsl6f5b6914.sys [2011-11-23 28752]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

attach.zip

Link to post
Share on other sites

Hi, and welcome, LeftyBassMike:

Sorry to hear your computer was recently infected.

sounds as if you've done quite a lot of clean up work.

Actually, though, this is not quite the correct forum for posting of infection-related issues.

And the ongoing IP blocks & browser redirects might be indicative of persistent infection.

So, please have a look at these posting guidelines and then start a new topic over in the malware removal forum.

The authorized, trained malware experts will review your logs and assist you with investigating the IP blocks/redirects and determine if further disinfection might be needed.

While you are waiting for assistance there, you might want to have a look at the FAQ - Section G for information about the IP blocking module. It contains some tips about running a diagnostic tool that can help to determine what process might be making the IP connections.

You'll also want to uninstall your torrent/limewire software, per MBAM's piracy guidelines. :)

HTH,

daledoc1

Link to post
Share on other sites

P.S.

I just noticed that you are running an older version of MBAM (the current version is 1.51.2.1300).

While you await help in the malware removal section, you might want to update to the current version.

Here's how to do a clean upgrade:

  • If you are using MBAM PRO, be sure to have your license ID and key handy first.
  • Download and run mbam-clean.exe from here.
  • It will ask to restart your computer, please allow it to do so (very important!).
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here.
    Note: You will need to reactivate the program using the license ID & key you were sent via email, if you are using the PRO version.
  • Launch MBAM and set the Protection and Registration (if using the PRO version).
  • Then go to the UPDATE tab (if not done during installation) and check for updates.
  • Restart the computer again and verify that MBAM is in the task tray (if using the PRO version).
  • Now set up any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications. Then restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQs here, or ask and we'll explain how to do it.

HTH,

daledoc1

Link to post
Share on other sites

Hi, and welcome, LeftyBassMike:

Sorry to hear your computer was recently infected.

sounds as if you've done quite a lot of clean up work.

Actually, though, this is not quite the correct forum for posting of infection-related issues.

And the ongoing IP blocks & browser redirects might be indicative of persistent infection.

So, please have a look at these posting guidelines and then start a new topic over in the malware removal forum.

The authorized, trained malware experts will review your logs and assist you with investigating the IP blocks/redirects and determine if further disinfection might be needed.

While you are waiting for assistance there, you might want to have a look at the FAQ - Section G for information about the IP blocking module. It contains some tips about running a diagnostic tool that can help to determine what process might be making the IP connections.

HTH,

daledoc1

Hi DD. I found a related thread here from a search so I posted back to the same area. I will read thru the sections you suggest and re-post in the malware removal section as you suggest. Thanks for your help!

Link to post
Share on other sites

Okey dokey -- please see my post above your reply regarding updating MBAM, and some edits to my earlier instructions (re: uninstalling your torrent software).

The malware experts in the malware removal section will get you straightened out.

Best regards,

daledoc1

PS Please do be patient waiting for help there -- it is a US holiday weekend and many of the folks might be out of town. Someone will assist you as soon as possible.

PPS Please use the zMn2t.jpg button instead of other ones when you reply here and at the other forums, so that it will be easier to read. :)

Link to post
Share on other sites

Many thanks DD.

No problem about the holiday. In the meantime I will read thru those sections and follow thru on your

suggested fixes and upgrades. Then I will follow up with posts to request further help. I do want to clean out any remaining infection ASAP but at least I my PC seems to be usable again for what I need.

Mike

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.