Jump to content

Successfully blocked content to potentally malicious website


Recommended Posts

Hi,

I've has Malwarebytes for a while now, and it has worked great so far. I recently had a whole lot of pop ups and some bogus "antispyware" programs asking to perform scans. What also happened is that all my desktop icons and START /ALL PROGRAMS was empty, with nothing in the start menu. even my desktop picture was gone. I ran malwarebytes, and it successfully removed several trojans. Now, however, I keep getting a pop up every few minutes saying "Successfully blocked content to potentially malicous website 94.60.123.34" "Type: Outgoing".

My PC has also be running really slow, especially the web browser. (another laptop running on the same internet connection is fast - so its not my connection speed)

Any ideas what this is and how I can remove it? I have attached the latest 2 logs - one was a "protection log", the other a regular mbam log.

Thanks!

protection-log-2011-06-16.txt

mbam-log-2011-06-15 (08-01-27).txt

Link to post
Share on other sites

Hello alisonk and welcome to Malwarebytes! :welcome:

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

For future reference, please post the logs here rather than attaching them - it makes it easier for me to read them this way ;).

-------------

Please download the following file: Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

-------------

Please do the following:

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results.

    [*]Close the program window, and delete the program from your Desktop.

-------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • DDS log
  • Security Check checkup.txt

How is your computer running now?

Link to post
Share on other sites

Hi Fred,

Here is the DDS log :

.

DDS (Ver_2011-06-12.02) - FAT32x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Run by Alison at 1:42:59 on 2011-06-19

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.186 [GMT -4:00]

.

AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Disabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

SVCHOST.EXE

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

SVCHOST.EXE

SVCHOST.EXE

C:\WINDOWS\system32\spoolsv.exe

SVCHOST.EXE

C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\ESET\ESET Smart Security\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\MediaMall\MediaMallServer.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\WINDOWS\VM303_STI.EXE

C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\Program Files\ESET\ESET Smart Security\egui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\MediaMall\MediaMallServer.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Windows Defender\MpCmdRun.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Desktop Software] "c:\program files\common files\supportsoft\bin\bcont.exe" /ini "c:\program files\comcastui\desktop software\uinstaller.ini" /fromrun /starthidden

uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [bigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)

mRun: [openvpn-gui] c:\program files\astaro\astaro ssl vpn client\bin\openvpn-gui.exe

mRun: [EPSON Stylus Photo RX600] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"

mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE

mRun: [EssSpkPhone] essspk.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice

dRunOnce: [RunNarrator] Narrator.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

Trusted Zone: stratadat.com\fw

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700}

DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - hxxp://63.99.207.62/builds//build1118/install.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe

DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3}

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48}

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{73B6A7D5-A602-4A43-A72F-EB1F05EF37D2} : NameServer = 8.8.8.8

TCP: Interfaces\{73B6A7D5-A602-4A43-A72F-EB1F05EF37D2} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\alison\application data\mozilla\firefox\profiles\ph9f0c7k.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll

FF - plugin: c:\documents and settings\alison\local settings\application data\unity\webplayer\loader\npUnity3D32.dll

FF - plugin: c:\documents and settings\alison\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\nos\bin\np_gp.dll

FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-12-21 115008]

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\msikbd2k.sys [2002-1-16 6656]

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2007-12-23 58048]

R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-4-17 54752]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2007-12-23 102463]

R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]

R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]

R2 MediaMall Server;MediaMall Server;c:\program files\mediamall\MediaMallServer.exe [2011-5-5 4208496]

R2 nhksrv;Netropa NHK Server;c:\program files\office keyboard utility\1.2\NHKSRV.EXE [2002-1-16 28672]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-1-29 22712]

R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2007-12-23 108256]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-1-29 366640]

S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\spamfighter\sfus.exe [2009-8-27 189064]

S2 srv8C;srv8C;c:\windows\system32\svchost.exe -k netsvcs [2002-9-19 14336]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]

S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [2002-9-19 747392]

.

=============== Created Last 30 ================

.

2011-06-19 01:12:48 -------- d-----w- c:\program files\trend micro

2011-06-17 23:42:34 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{a7226181-3923-487b-85c2-5455a6b98241}\mpengine.dll

2011-06-16 21:43:17 -------- d-----w- c:\documents and settings\alison\local settings\application data\ESET

2011-06-16 21:43:17 -------- d-----w- c:\documents and settings\alison\application data\ESET

2011-06-16 21:26:02 -------- d-----w- c:\program files\ESET

2011-06-15 23:15:02 5592784 ----a-w- c:\program files\cbaffspeedupmypc.exe

2011-06-15 10:12:31 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-15 10:11:55 758784 ------w- c:\windows\system32\dllcache\vgx.dll

2011-06-15 03:28:21 3096424 ----a-w- c:\program files\ccsetup307.exe

2011-06-14 15:24:08 -------- d-sh--w- C:\FOUND.006

2011-05-25 20:40:46 -------- d-----w- c:\program files\rokufiles

2011-05-25 20:19:24 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys

2011-05-25 20:17:36 -------- d-----w- c:\program files\common files\ffdshowEx

2011-05-25 20:17:35 -------- d-----w- c:\program files\MediaMall

2011-05-25 20:15:25 -------- d-----w- c:\documents and settings\all users\application data\MediaMall

2011-05-25 20:14:14 25232952 ----a-w- c:\program files\PlayOnSetup.3.3.6.exe

.

==================== Find3M ====================

.

2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19:44 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11:12 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11:12 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37:44 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2010-08-20 15:40:12 34456880 ----a-w- c:\program files\QuickTimeInstaller.exe

2010-08-18 19:20:12 567816 ----a-w- c:\program files\googleupdatesetup.exe

2010-06-22 13:54:30 18423152 ----a-w- c:\program files\rightwaycharts_setup.exe

2010-05-20 20:12:38 4169301 ----a-w- c:\program files\FileZilla_3.3.2.1_win32-setup.exe

.

============= FINISH: 1:43:56.83 ===============

Security Check text :

Results of screen317's Security Check version 0.99.14

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

ESET Smart Security

McAfee VirusScan Enterprise

```````````````````````````````

Anti-malware/Other Utilities Check:

MVPS Hosts File

Malwarebytes' Anti-Malware

CCleaner

Java 6 Update 20

Java 2 Runtime Environment, SE v1.4.2_18

Out of date Java installed!

Flash Player Out of Date!

Adobe Flash Player 10.2.159.1

Adobe Reader X (KB403742..) Adobe Reader Out of Date!

Mozilla Firefox (3.6.8) Firefox Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Windows Defender MSMpEng.exe

Malwarebytes' Anti-Malware mbam.exe

Network Associates VirusScan VsTskMgr.exe

Network Associates VirusScan Mcshield.exe

MediaMall MediaMallServer.exe

Windows Defender MsMpEng.exe

Windows Defender MpCmdRun.exe

``````````End of Log````````````

Link to post
Share on other sites

Thanks for helping Fred,

As to how my computer is running now...very slow. I'm wondering if I'm still infected or if it may perhaps be eset antivirus plus malwarebytes running in the background on this older machine (its 7 years old with only 756 MB RAM), still, it was alot faster before this infection happened last week. Let me know if you find anything from the logs!

Your assistance is greatly appreciated,

Alison

Link to post
Share on other sites

Hi again.

Thanks for helping Fred,

No problem :).

Please do the following:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

***Note: In order for ComboFix to run properly McAfee must be uninstalled. Please go here and follow the instructions to uninstall McAfee.

You can reinstall it after the computer is clean.

--------------------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
In your next reply, please include:
  • C:\ComboFix.txt
  • TDSSKiller log

How is your computer running now?

Link to post
Share on other sites

Hi Fred,

I was finally able to perform the scans you requested. The infected PC was freezing alot today, and required several restarts, plus running very slow. I don't know if this is an issue, but I noticed my PC was running better after disabling the ESET antivirus /firewall program I put on there a few days ago. It was faster. Is that normal for an antivirus software to cause a computer to run so slow? And if that program in particular does that, would you recommend a better one? I only have malwarebytes, spybot - and now ESET...is that enough to prevent further infections? I'm not going to reinstall Mcafee, it was on there from years agio, and I never updated it.

It seems to be back up to normal speed now that I have run the combofix...I'll let you know how it performs tomorrow...

The TDSSKiller program did not find anything, so no log was made.

Thanks so much for helping!

Alison

Here is the combofix log:

ComboFix 11-06-17.04 - Alison 06/20/2011 0:04.1.1 - FAT32x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.348 [GMT -4:00]

Running from: c:\documents and settings\Alison\Desktop\ComboFix.exe

AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Alison\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\windows\a3kebook.ini

c:\windows\akebook.ini

c:\windows\ANS2000.INI

c:\windows\system\msikbd.dll

c:\windows\system\msiosd32.dll

c:\windows\system32\config\systemprofile\WINDOWS

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_SRV8C

-------\Service_srv8C

.

.

((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))

.

.

2011-06-19 01:12 . 2011-06-19 01:12 -------- d-----w- c:\program files\trend micro

2011-06-19 01:12 . 2011-06-19 01:12 -------- d-----w- C:\rsit

2011-06-17 23:42 . 2011-05-09 20:46 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{A7226181-3923-487B-85C2-5455A6B98241}\mpengine.dll

2011-06-16 21:43 . 2011-06-16 21:43 -------- d-----w- c:\documents and settings\Alison\Local Settings\Application Data\ESET

2011-06-16 21:43 . 2011-06-16 21:43 -------- d-----w- c:\documents and settings\Alison\Application Data\ESET

2011-06-16 21:28 . 2011-06-16 21:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2011-06-16 21:26 . 2011-06-16 21:26 -------- d-----w- c:\program files\ESET

2011-06-16 21:26 . 2011-06-16 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2011-06-16 19:28 . 2011-06-16 19:28 1441584 ----a-w- c:\program files\TDSSKiller.exe

2011-06-15 23:15 . 2011-06-15 23:15 5592784 ----a-w- c:\program files\cbaffspeedupmypc.exe

2011-06-15 10:12 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys

2011-06-15 10:11 . 2011-04-30 03:01 758784 ------w- c:\windows\system32\dllcache\vgx.dll

2011-06-15 03:28 . 2011-06-15 03:25 3096424 ----a-w- c:\program files\ccsetup307.exe

2011-06-14 15:24 . 2011-06-14 15:24 -------- d-----w- C:\FOUND.006

2011-05-25 20:40 . 2011-05-25 20:40 -------- d-----w- c:\program files\rokufiles

2011-05-25 20:19 . 2010-04-29 17:40 23920 ----a-w- c:\windows\system32\drivers\povrtdev.sys

2011-05-25 20:17 . 2011-05-25 20:17 -------- d-----w- c:\program files\MediaMall

2011-05-25 20:15 . 2011-05-25 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\MediaMall

2011-05-25 20:14 . 2011-05-25 20:14 25232952 ----a-w- c:\program files\PlayOnSetup.3.3.6.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-05-29 13:11 . 2011-01-29 05:13 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-29 13:11 . 2011-01-29 05:13 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-09 20:46 . 2010-12-18 15:03 6962000 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-05-02 15:31 . 2004-03-02 17:18 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-04-29 16:19 . 2002-09-19 14:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-04-25 16:11 . 2004-08-23 23:32 916480 ----a-w- c:\windows\system32\wininet.dll

2011-04-25 16:11 . 2002-09-19 14:03 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-04-25 16:11 . 2002-09-19 14:03 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-04-25 12:01 . 2004-08-04 04:59 385024 ----a-w- c:\windows\system32\html.iec

2011-04-21 13:37 . 2002-09-19 14:04 105472 ----a-w- c:\windows\system32\drivers\mup.sys

2010-08-20 15:40 . 2010-08-04 22:36 34456880 ----a-w- c:\program files\QuickTimeInstaller.exe

2010-08-18 19:20 . 2010-08-18 19:20 567816 ----a-w- c:\program files\googleupdatesetup.exe

2010-06-22 13:54 . 2010-06-22 13:54 18423152 ----a-w- c:\program files\rightwaycharts_setup.exe

2010-05-20 20:12 . 2010-05-20 20:12 4169301 ----a-w- c:\program files\FileZilla_3.3.2.1_win32-setup.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2008-12-09 495616]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"BigDog303"="c:\windows\VM303_STI.EXE" [2006-11-10 61440]

"openvpn-gui"="c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe" [2007-10-05 90112]

"EPSON Stylus Photo RX600"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE" [2003-09-09 99840]

"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]

"EssSpkPhone"="essspk.exe" [2002-05-31 167936]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]

"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 53760]

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qttask

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"FLMOFFICEKEYBOARD"=c:\program files\Office keyboard utility\1.2\OFFICEKB.exe

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" -osboot

"FLMBROWSERMOUSE"=c:\program files\Browser mouse\1.2\mouse32a.exe

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\MSMSGS.EXE"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"67:UDP"= 67:UDP:DHCP Server

.

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [12/21/2010 3:04 PM 115008]

R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\system32\drivers\msikbd2k.sys [1/16/2002 1:26 PM 6656]

R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [1/12/2011 4:41 PM 810144]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/29/2011 1:13 AM 366640]

R2 nhksrv;Netropa NHK Server;c:\program files\Office keyboard utility\1.2\NHKSRV.EXE [1/16/2002 1:26 PM 28672]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/29/2011 1:13 AM 22712]

R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/29/2011 1:13 AM 39984]

S2 SPAMfighter Update Service;SPAMfighter Update Service;c:\program files\SPAMfighter\sfus.exe [8/27/2009 9:24 AM 189064]

S3 wdm_au8830;Aureal Vortex 8830 Audio Driver (WDM);c:\windows\system32\drivers\adm8830.sys [9/19/2002 11:08 AM 747392]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-08-20 17:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2024096060-1066774155-3743661981-1010.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 15:33]

.

2011-06-20 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2024096060-1066774155-3743661981-1010.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 15:33]

.

2010-07-01 c:\windows\Tasks\wavepadShakeIcon.job

- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-06-21 18:25]

.

2011-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

Trusted Zone: stratadat.com\fw

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{73B6A7D5-A602-4A43-A72F-EB1F05EF37D2}: NameServer = 8.8.8.8

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

DPF: {6BA1270C-B969-4234-B827-7B3BBB4F5FFC} - hxxp://63.99.207.62/builds//build1118/install.cab

FF - ProfilePath - c:\documents and settings\Alison\Application Data\Mozilla\Firefox\Profiles\ph9f0c7k.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/

FF - prefs.js: network.proxy.type - 0

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKCU-Run-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe

MSConfigStartUp-CTFMON - (no file)

AddRemove-ESSMDM - c:\windows\remvess

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-20 00:12

Windows 5.1.2600 Service Pack 3 FAT NTAPI

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

BigDog303 = c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)????????????????0?????????@??????????????

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1556)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\ftpxext.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\system32\wscntfy.exe

c:\program files\Windows Live\Contacts\wlcomm.exe

.

**************************************************************************

.

Completion time: 2011-06-20 00:17:58 - machine was rebooted

ComboFix-quarantined-files.txt 2011-06-20 04:17

.

Pre-Run: 12,413,960,192 bytes free

Post-Run: 12,708,249,600 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - F797BB5AD4C094266D2416978B84E663

Link to post
Share on other sites

Hi Fred,

One more thing I noticed...when I hit start / All programs...I see all of my programs listed there, but when I hover the mouse over some of them, its still saying its "empty" (not all are doing this, just some) - see attached screenshot. I checked in "Program Files" and they are all there, just not accessible from the start menu.

Do you know if that's fixable? Seems to be related to that malware issue.

Thanks,

Alison

post-84801-0-68416600-1308545019.jpg

Link to post
Share on other sites

Hello again. We still have some work to do, but the main infection is cleared.

It was faster. Is that normal for an antivirus software to cause a computer to run so slow?

It could depend on a number of things, but if you are happier without ESET, then by all means don't reinstall it. :)

And if that program in particular does that, would you recommend a better one? I only have malwarebytes, spybot - and now ESET...is that enough to prevent further infections? I'm not going to reinstall Mcafee, it was on there from years agio, and I never updated it.

I will provide you with some suggestions for security software towards the end. ;)

Please do the following:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

--------------------------

Do you know if that's fixable? Seems to be related to that malware issue.

Please try this version of unhide and tell us if it resolved the issue:

http://download.bleepingcomputer.com/grinler/beta/unhide.exe

--------------------------

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    SRV8C.sys
    SRV8C.drv
    SRV8C.tmp


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

--------------------------

Please include the systemlookup.txt in your next reply. How is your system running now?

Link to post
Share on other sites

Hi Fred,

The unhide link your provided did not open for me...

it gave me a 'webpage cannot be found' message.

Also, I think I may have messed something up in malwarebytes (perhaps when running the combofix? I was pretty sure I disabled it before running combofix though...) When I try to open malwarebytes it says "Program error load database - 2146893820 -2146893820 - CreateSDK Bad length"

Sorry if that was me :-(

The computer is running much, much faster now (even with ESET running in the background)!!! Great news!

Alison

Here is the system look log:

SystemLook 04.09.10 by jpshortstuff

Log created at 14:53 on 20/06/2011 by Alison

Administrator - Elevation successful

========== filefind ==========

Searching for "SRV8C.sys "

No files found.

Searching for "SRV8C.drv "

No files found.

Searching for "SRV8C.tmp"

No files found.

-= EOF =-

Link to post
Share on other sites

The computer is running much, much faster now (even with ESET running in the background)!!! Great news!

I am thrilled to hear that! :D

The unhide link your provided did not open for me...

it gave me a 'webpage cannot be found' message.

Hmmm... try this one. If it doesn't work, we'll try something else. ;)

Also, I think I may have messed something up in malwarebytes (perhaps when running the combofix? I was pretty sure I disabled it before running combofix though...) When I try to open malwarebytes it says "Program error load database - 2146893820 -2146893820 - CreateSDK Bad length"

Sorry if that was me :-(

Try rebooting the computer. Let me know if you still get that error after rebooting.

---------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Hi Fred,

That unhide program opened and ran, but some of my start menu items are still showing as empty, so it didn't work.

Also after a restart, malwarebytes is still not opening...when I booted up it gave the message "malwarebytes has encountered a problem and needs to close" and when I try clicking on it from the desktop, it gived that error message "Program error load database".

I could try uninstalling it and installing it again?

Here is the ESET online scanner log: Looks like that found and removed some things too:

Alison

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=8d6e644cf21240409d7d1fdad885635e

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-21 12:43:45

# local_time=2011-06-20 08:43:45 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8201 39157077 100 100 0 13664464 0 0

# scanned=61109

# found=9

# cleaned=9

# scan_time=5018

# nod_component=V3 Build:0x30000000

C:\Documents and Settings\Alison\Local Settings\Application Data\SupportSoft\ddoctorv2\Alison\state\backup\Pl\PlaySushiFF.dll\188928_5b7e09d9a_ probably a variant of Win32/Adware.Gamevance.AG application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Alison\Application Data\Sun\Java\Deployment\cache\6.0\27\7dceef1b-5bd089d6 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C

C:\Program Files\cbaffspeedupmypc.exe Win32/SpeedUpMyPC application (deleted - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{93EA7FB1-3634-4E01-BFEE-735EDB571361}\RP2243\A0299329.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{93EA7FB1-3634-4E01-BFEE-735EDB571361}\RP2243\A0299330.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{93EA7FB1-3634-4E01-BFEE-735EDB571361}\RP2243\A0299331.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{93EA7FB1-3634-4E01-BFEE-735EDB571361}\RP2243\A0299332.exe Win32/SpeedUpMyPC application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{93EA7FB1-3634-4E01-BFEE-735EDB571361}\RP2248\A0309504.exe Win32/SpeedUpMyPC application (deleted - quarantined) 00000000000000000000000000000000 C

C:\Backup\PeoplePC\Branding\ppcstub.exe probably unknown NewHeur_PE virus (deleted - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

That unhide program opened and ran, but some of my start menu items are still showing as empty, so it didn't work.

Hmmm... I will inquire with the tool's creator about this. Thank you for your patience. :)

I could try uninstalling it and installing it again?

Sure, give that a try and let me know if it helps.

In the meantime, let's run another online scan to make sure you're clean:

Please use the Internet Explorer and run a BitDefender Online scan from Here

  • Please check I agree with the Terms and Conditions and click Start Here
  • You will need to allow an Active X install for the scan to run.
  • Leave the scanning options at default and click Start Scan

Please post the results in your next reply.

Link to post
Share on other sites

Hi Fred,

Good news...Malwarebytes is working fine now...I shut down last night and it was back up with no error messages this morning! Must have needed a shut down instead of just a restart.

The unhide tool is still not unhiding all my folders though...I'm still getting "empty" on some of them. I went into the start menu folder and it does actually look like those folders are empty...see the screenshot for the folder "mozilla firefox". Not sure what is happening here...the unhide can't actually bring back the contents of an empty folder :rolleyes:

So I'm in need of a little lesson here...the folders in C:\Documents and Settings\All Users\Start Menu\Programs are the ones that are showing empty. These are essentally just shortcuts to the various things you have installed like skype, mozilla etc....so you can click on them from the start menu...correct?

The actual programs are still there, installed in folders like - C:\Program Files\Mozilla Firefox. I'm not sure if there is a way to restore the shortcuts to the start menu?

Here is the results of the last scan...looks like it was clear!

Thanks again for your perseverance in helping clean my computer! I'm going to send a donation to your cause...

Alison

QuickScan Beta 32-bit v0.9.9.96

-------------------------------

Scan date: Tue Jun 21 16:50:12 2011

Machine ID: A8D72879

No infection found.

-------------------

Processes

---------

BIGDOG 2272 C:\WINDOWS\VM303_STI.EXE

Diskeeper Disk Defragmenter 520 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

EPSON Status Monitor 3 2292 C:\WINDOWS\System32\SPOOL\DRIVERS\W32X86\3\E_S4I2M1.EXE

ESET Smart Security 2460 C:\Program Files\ESET\ESET Smart Security\EGUI.EXE

ESET Smart Security 544 C:\Program Files\ESET\ESET Smart Security\EKRN.EXE

Firefox 868 C:\Program Files\Mozilla Firefox\firefox.exe

Firefox 1848 C:\Program Files\Mozilla Firefox\plugin-container.exe

Gadwin PrintScreen 2496 C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

LightScribe 624 C:\Program Files\Common Files\LightScribe\LSSrvc.exe

Logitech ImageStudio 2308 C:\Program Files\Common Files\Logitech\QCDriver3\LVComS.exe

Malwarebytes' Anti-Malware 2420 C:\Program Files\Malwarebytes' Anti-Malware\MBAMGUI.EXE

Malwarebytes' Anti-Malware 704 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

Microsoft

post-84801-0-87447400-1308700939.jpg

Link to post
Share on other sites

Good news...Malwarebytes is working fine now...I shut down last night and it was back up with no error messages this morning! Must have needed a shut down instead of just a restart.

Great to hear that! ;)

So I'm in need of a little lesson here...the folders in C:\Documents and Settings\All Users\Start Menu\Programs are the ones that are showing empty. These are essentally just shortcuts to the various things you have installed like skype, mozilla etc....so you can click on them from the start menu...correct?

Correct. :)

the unhide can't actually bring back the contents of an empty folder :rolleyes:

It should restore your Start Menu items though; its odd that it isn't working this time.

Thanks again for your perseverance in helping clean my computer! I'm going to send a donation to your cause...

You are very kind! :)

The actual programs are still there, installed in folders like - C:\Program Files\Mozilla Firefox. I'm not sure if there is a way to restore the shortcuts to the start menu?

One thing I noticed is that you have CCleaner installed on your computer:

I need to know if you recently used it to delete your temporary files. If you have, than that is the reason Unhide is not restoring your Start Menu programs.

If you have deleted them, we could try doing it manually, however that will take some time.

EDIT: Please download and run this batch file: http://download.bleepingcomputer.com/bats/smtmp.bat It will verify the existence of the folder where your Start Menu contents is (if they haven't been deleted by a temp file cleaner). Please let me know what happens.

Link to post
Share on other sites

Hi Fred,

Here is the result of the batch file:

Volume in drive C has no label.

Volume Serial Number is A8D7-2879

And, unfortunately, I think I did run CCleaner at the time my computer started running slow. I usually do that and then run the defragger, thinking thats what it needed to speed it up. So...I inadvertantly wiped all those start menu items off by mistake :-(

Bleeping computer! Is all I can say...

Anyway...Maybe I can manually rebuild them. Do I just find the .exe files in the installed folders in C:Program files and create shortcuts in the start menu folders?

Ok, I just did that for Mozilla firefox, and it seems to work...I can slowly rebuild them...its not a big deal really. I don't actually use those start menu shortcuts too often anyway.

Just got to be careful when running CCleaner in the future!

So other than that...the computer is now safe from more infections? You mentioned some recommendations to protect me in the future? I think I'll pay for a subscription to ESET Smart Security 4 (unless you have a better one?), plus I'll have Malwarebytes, Spybot Search and Destroy, and I also have Windows Defender (though not sure how good that is...) Is that enough?

Regards,

Alison

Link to post
Share on other sites

Anyway...Maybe I can manually rebuild them. Do I just find the .exe files in the installed folders in C:Program files and create shortcuts in the start menu folders?

Ok, I just did that for Mozilla firefox, and it seems to work...I can slowly rebuild them...its not a big deal really. I don't actually use those start menu shortcuts too often anyway.

Yep, you're doing it correctly! ;) If you have any questions or concerns, don't hesitate to ask.

So other than that...the computer is now safe from more infections? You mentioned some recommendations to protect me in the future? I think I'll pay for a subscription to ESET Smart Security 4 (unless you have a better one?), plus I'll have Malwarebytes, Spybot Search and Destroy, and I also have Windows Defender (though not sure how good that is...) Is that enough?

That sounds good!

One thing I might add is that if you're running ESET as well as Spybot, you should not leave Windows Defender enabled. Running multiple protection programs of the same type (AntiVirus, Anti-Spyware, or Firewall) is a bad idea, because they can actually conflict, leaving your PC worse off in the end.

I will provide you with some further suggestions for security software, but first, let's update some of your programs ;).

----------

Please take the time to install the following updates, as outdated applications leave you extremely vulnerable to getting infected again.

Firefox is out of date. Using an outdated version of a web browser leaves you extremely vulnerable to malware!

Please visit Mozilla site and update it to the latest version.

----------

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Download the newest version from here http://www.oracle.com/technetwork/java/javase/downloads/index.html.

It's important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.

Go to Start > Control Panel and open Add or Remove Programs.

Search in the list for all previous installed versions of Java. (J2SE Runtime Environment).

They will have this icon next to them: javaicon.gif

Select each in turn and click Remove.

Once old versions are gone, please install the newest version.

----------

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):

Adobe Reader X

Note: I suggest you uncheck an optional, third-party download (eg. McAfee Security Scan Plus).

After successfully installing Adobe Reader X, see this article on how to make this program more secure: Adobe Reader X secures itself by playing in the sandbox.

----------

Your Flash Player is out of date!

To make sure you have the latest version of Adobe Flash Player installed:

1. To uninstall an older version, download this file to your Desktop: uninstall_flash_player.exe

2. Quit ALL running applications, including all Internet Explorer or other browser windows, and messenger applications (like AOL Instant Messenger, Yahoo Messenger, MSN Messenger).

3. Double-click on the file you've downloaded to uninstall Flash.

4. If uninstalled successfully, go to this site: Install Adobe Flash Player, and choose Agree and install now. This will install the newest version of Flash for your browser (note: Flash plugins for IE and Firefox must be installed separately).

Note: I recommend you uncheck an optional install (Free McAfee Security Scan or Free Google Toolbar).

----------

Please let me know how the updates went, as failed updates may indicate additional malware. :)

Link to post
Share on other sites

Java is out of date and older versions contain vulnerabilities. Please update to the newest version.

Hi...if you are still there...Could you tell me which version of Java I need? There are several on there? I chose the first one, and accepted the licence agreement, then got this long list of options? Am I on the right page?

Thanks,

Link to post
Share on other sites

Hi,

ok, I've done all the updates requested, and made adobe more secure.

One thing...I tried to uninstall something called "Yahoo Browser Plus" that I noticed in my programs that I probably don't use or need and I got an error message "bpuninstall.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

Does that indicate a problem?

All the other uninstalls and updates worked great.

Alison

Link to post
Share on other sites

Glad to hear the updates went well. :)

As for Yahoo Browser Plus, let's try uninstalling it with this:

Please download and install Revo Uninstaller (Freeware) from here. Then please run Revo Uninstaller and select Yahoo Browser Plus.

Please click Uninstall icon to uninstall the selected program.

2ev563d.gif

Please choose Advanced.

aubbd2.gif

Then click Next and follow the prompts.

Please click Select All (1.) and Delete (2.)

2hdphqf.gif

to delete all registry items, folders and files listed by Revo.

If asked to restart the computer, please do so immediately.

Let me know if that helped. ;)

Link to post
Share on other sites

Glad to hear that!! :D

I will provide you with some suggestions for security software, but first, ComboFix must be uninstalled :) :

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

**You may now reinstall McAfee AntiVirus if you haven't already. Please keep in mind that you should only run one antivirus and one antispyware in resident mode, so I would suggest you only keep ESET. ;)

-------------

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. :)

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy

A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster

A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard

A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

Please, consider maintaining a firewall with HIPS (Host Intrusion Prevention Systems). Firewalls are extremely important and are the first part of your computer's defense. HIPS stops malware by monitoring its behavior and it's very important, too.

A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.

If you are using the Windows Firewall please note that it doesn't monitor or block outbound traffic and is therefore less effective than other free alternatives.

These firewalls are good and do have free versions available

A tutorial on understanding and using firewalls may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad for ZonedOut which provides protections against malicious websites. (Requires 2 downloads)

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.

If you are interested, Firefox may be downloaded from here

Opera is available here: http://www.opera.com/download/

For much more useful information, please also read Tony Klein's excellent article: How did I get infected in the first place

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.