1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Suspect Trojan Virus

Discussion in 'Malware and Virus Removal Archive' started by frankwebb, 2009/07/07.

Page 1 of 2
  1. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    [Resolved] Suspect Trojan Virus

    Security Program kept turning off virus protection. Did scan and found the following Virus: Trojan.win32.Vapsup.ujq. Part of report mentioned Firefox add-on with movenetwork.com. Not sure if Firefox picked up virus. Security program working, but very slow to activate when computer is turned on. Takes at least 2 plus minutes to come up on desktop.
     
    frankwebb,
    #1
  2. 2009/07/07
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    Hi,

    Read this post as indicated at the top of this forum & follow the instructions.
     
    Arie,
    #2


  3. to hide this advert.

  4. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Log as Requested

    DDS (Ver_09-06-26.01) - NTFSx86
    Run by frankwebb at 14:24:08.07 on 07/07/2009
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.511.74 [GMT -6:00]

    AV: TELUS security services Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: TELUS security services Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\TELUS\TELUS security services\Fws.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    svchost.exe
    C:\Program Files\TELUS\TELUS security services\rps.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
    C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\frankwebb\Local Settings\Temporary Internet Files\Content.IE5\J32FV1E6\dds[1].pif

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://sympatico.msn.ca/
    uDefault_Page_URL = hxxp://www.msn.com
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\telus\telus security services\pkR.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Ask.com Toolbar BHO: {d4027c7f-154a-4066-a1ad-4243d8127440} - Ask.com Toolbar
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} -
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [WeatherEye] c:\program files\theweathernetwork\weathereye\WeatherEye.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRunOnce: [IndexCleaner] "c:\program files\telus\telus security services\IdxClnR.exe "
    mRun: [SystemTray] SysTray.Exe
    mRun: [Tsa.exe] "c:\program files\telus\telus security advisor\Tsa.exe" /AUTORUN
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mRunOnce: [IndexCleaner] "c:\program files\telus\telus security services\IdxClnR.exe "
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: DirectAnimation Java Classes
    DPF: Hog Heaven Slots by pogo - hxxp://game3.pogo.com/v/9.1.4.5/applet/fancy/fancy-en_US.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://sympatico.zone.msn.com/bingame/zpagames/zpa_hrtz.cab98974.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R0 KL1;KL1;c:\windows\system32\drivers\kl1.sys [2009-7-6 112144]
    R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-7-6 196368]
    R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-6-11 600944]
    R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-6-11 600944]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-6-26 195856]
    R3 FastNIC;SMC EZ Card 10/100 (SMC1244TX V2);c:\windows\system32\drivers\FastNIC.sys [2002-5-21 38528]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-6-26 19096]
    R3 Radialpoint Security Services;TELUS security services;c:\program files\telus\telus security services\RpsSecurityAwareR.exe [2008-12-9 97520]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-5-7 12672]

    ============== File Associations ===============

    JSEFile=NOTEPAD.EXE %1
    regfile=NOTEPAD.EXE %1
    scrfile=NOTEPAD.EXE %1
    VBEFile=NOTEPAD.EXE %1
    VBSFile=NOTEPAD.EXE %1

    =============== Created Last 30 ================

    2009-07-06 16:33 112,144 a------- c:\windows\system32\drivers\kl1.sys
    2009-07-06 16:33 53,192 a------- c:\windows\system32\drivers\rp_skt32.sys
    2009-07-06 16:32 48,384 a------- c:\windows\system32\drivers\rp_pkt32.sys
    2009-07-06 16:32 <DIR> --d----- c:\program files\Raxco
    2009-07-02 10:07 6,144 a------- c:\windows\system32\kbd106.dll
    2009-07-02 10:07 6,144 a------- c:\windows\system32\dllcache\kbd106.dll
    2009-06-26 16:54 <DIR> --d----- c:\program files\common files\xing shared
    2009-06-26 16:54 499,712 a------- c:\windows\system32\msvcp71.dll
    2009-06-26 16:54 348,160 a------- c:\windows\system32\msvcr71.dll
    2009-06-26 14:47 0 a------- c:\windows\system32\cid_store.dat
    2009-06-26 14:02 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-06-26 14:02 19,096 a------- c:\windows\system32\drivers\mbam.sys
    2009-06-26 14:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-06-24 21:41 <DIR> --d----- c:\docume~1\frankw~1\applic~1\MxBoost
    2009-06-23 12:44 <DIR> --d----- c:\program files\Paint.NET
    2009-06-23 12:44 <DIR> --d----- c:\docume~1\frankw~1\applic~1\Paint.NET
    2009-06-19 18:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
    2009-06-17 17:00 <DIR> --d----- c:\program files\JRE
    2009-06-17 16:51 73,728 a------- c:\windows\system32\javacpl.cpl
    2009-06-15 13:19 <DIR> --d----- c:\program files\TuxPaint
    2009-06-11 09:01 940,896 a------- c:\windows\system32\Incinerator.dll
    2009-06-11 09:01 28,672 a------- c:\windows\system32\iolobtdfg.exe
    2009-06-11 09:01 8,192 a------- c:\windows\system32\smrgdf.exe
    2009-06-11 09:01 <DIR> --d----- c:\program files\iolo
    2009-06-10 18:50 <DIR> --d----- c:\program files\iPod
    2009-06-10 18:50 <DIR> --d----- c:\program files\iTunes
    2009-06-09 18:17 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
    2009-06-09 18:17 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
    2009-06-09 18:17 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
    2009-06-09 18:16 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll

    ==================== Find3M ====================

    2009-07-07 14:24 9,633,824 a--sh--- c:\windows\system32\drivers\fidbox.dat
    2009-07-07 14:24 784,928 a--sh--- c:\windows\system32\drivers\fidbox2.dat
    2009-07-06 22:47 75,488 a--sh--- c:\windows\system32\drivers\fidbox2.idx
    2009-07-06 22:47 129,068 a--sh--- c:\windows\system32\drivers\fidbox.idx
    2009-06-17 19:05 32,816 a------- c:\docume~1\frankw~1\applic~1\GDIPFONTCACHEV1.DAT
    2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
    2009-05-12 23:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
    2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
    2009-05-12 23:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
    2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
    2009-05-07 09:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
    2009-04-30 15:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
    2009-04-30 15:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
    2009-04-30 15:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
    2009-04-30 05:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
    2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
    2009-04-17 06:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
    2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
    2009-04-15 08:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
    2008-10-13 09:19 271 a--sh--- c:\program files\desktop.ini
    2008-10-13 09:19 23,357 a---h--- c:\program files\folder.htt

    ============= FINISH: 14:25:01.32 ===============
     
    frankwebb,
    #3
  5. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    2nd Log as Requested

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-06-26.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 13/10/2008 10:29:37 AM
    System Uptime: 07/07/2009 12:41:35 PM (2 hours ago)

    Motherboard: Gigabyte Technology | | 8TX-C
    Processor: Intel(R) Pentium(R) 4 CPU 1500MHz | Socket | 1495/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 26.566 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP400: 06/07/2009 10:41:46 PM - July 06 - 01

    ==== Installed Programs ======================

    7-Zip 4.65
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.2
    Apple Mobile Device Support
    Apple Software Update
    Bonjour
    Choice Guard
    CPUID CPU-Z 1.51
    EVEREST Home Edition v2.20
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB954550-v5)
    InterVideo WinDVD
    iolo technologies' System Mechanic
    iTunes
    Java(TM) 6 Update 14
    Lexmark 3300 Series
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Reader
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    Nero - Burning Rom
    OpenOffice.org 3.1
    Paint.NET v3.36
    PerfectDisk
    QuickTime
    Radialpoint Security Services
    RealPlayer
    RPS Ad Blocker
    RPS AntiFraud
    RPS AntiSpyware
    RPS AntiVirus
    RPS App Detector
    RPS Backup
    RPS Burn
    RPS CRT
    RPS Diagnostic Utility
    RPS Firewall
    RPS Ksdk
    RPS ParentalControl
    RPS Performance Tool
    RPS PopupBlocker
    RPS Privacy Manager
    RPS RpsCore
    RPS Security Cleanup
    RPS Zip
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Segoe UI
    Skypeâ„¢ 4.0
    Spelling Dictionaries Support For Adobe Reader 9
    TELUS security advisor 2.0.21
    TELUS security services
    Tux Paint 0.9.20b
    Tux Paint Stamps 2008.06.30
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB968220)
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WeatherEye
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player 9 Series Winter Fun Pack
    Windows Media Player Firefox Plugin
    Windows Vista Upgrade Advisor
    Works Suite OS Pack
    Works Synchronization

    ==== Event Viewer Messages From Past Week ========

    06/07/2009 6:26:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips KL1 KLIF Processor StarOpen
    06/07/2009 6:25:52 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    06/07/2009 4:20:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: DefragFS
    06/07/2009 4:20:06 PM, error: Service Control Manager [7000] - The Security Services Driver (x86) service failed to start due to the following error: The system cannot find the file specified.
    06/07/2009 3:54:16 PM, error: Service Control Manager [7024] - The Distributed Transaction Coordinator service terminated with service-specific error 3221229584 (0xC0001010).
    06/07/2009 12:56:12 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TELUS security services service to connect.
    06/07/2009 12:56:12 PM, error: Service Control Manager [7000] - The TELUS security services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    06/07/2009 12:56:11 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service Radialpoint Security Services with arguments " " in order to run the server: {9997FB0D-4EE6-48EB-8BFE-C278C03C1345}
    06/07/2009 10:06:51 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    05/07/2009 9:09:57 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    02/07/2009 9:45:19 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    01/07/2009 9:34:02 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.

    ==== End Of File ===========================
     
    frankwebb,
    #4
  6. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'm not familiar with Telus security software. Is it something, which came from your ISP?
    Have you ever had Kaspersky installed?

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

    STEP 1. Download SUPERAntiSpyware Free for Home Users:
    http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes ". If not, update the definitions before scanning by selecting "Check for Updates ". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

    PHYSICALLY DISCONNECT FROM THE INTERNET

    Restart computer in Safe Mode.
    To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Click Scan your Computer... button.
    * Click Scanning Preferences/Control Center... button.
    * Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
    - Close browsers before scanning.
    - Terminate memory threats before quarantining.
    * Click the Close button to leave the control center screen.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, choose Perform Complete Scan.
    * Click Next to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
    * Make sure everything has a checkmark next to it and click Next.
    * A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
    * If asked if you want to reboot, click Yes.
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
    - Click Preferences, then click the Statistics/Logs tab.
    - Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    - If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    - Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
    Post SUPERAntiSpyware log.

    RECONNECT TO THE INTERNET

    RESTART COMPUTER!

    STEP 2. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 3. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 4. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackThis log.
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #5
  7. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Telus Security Program

    It is an antivirus, antispyware program with firewall provided by my ISP
     
    frankwebb,
    #6
  8. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    .....
     
    broni,
    #7
  9. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Kaspersky Program

    I have not installed this program.
     
    frankwebb,
    #8
  10. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Super Antispyware Scan in Safe Mode

    Finished scan. No problems found.
     
    frankwebb,
    #9
  11. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. I just needed to know.
    Please, proceed to the scans.
     
    broni,
    #10
  12. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I need logs from every single scan.
     
    broni,
    #11
  13. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:52:34 PM, on 07/07/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TELUS\TELUS security services\Fws.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TELUS\TELUS security services\rps.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    C:\Program Files\TELUS\TELUS security advisor\Tsa.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TELUS\TELUS security advisor\TsaComHandler.exe
    C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\TELUS\TELUS security services\pkR.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Tsa.exe] "C:\Program Files\TELUS\TELUS security advisor\Tsa.exe" /AUTORUN
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\TELUS\TELUS security services\IdxClnR.exe "
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\TELUS\TELUS security services\IdxClnR.exe "
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Hog Heaven Slots by pogo - http://game3.pogo.com/v/9.1.4.5/applet/fancy/fancy-en_US.cab
    O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games "“ Hearts) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_hrtz.cab98974.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
    O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
    O23 - Service: TELUS security services (Radialpoint Security Services) - TELUS - C:\Program Files\TELUS\TELUS security services\RpsSecurityAwareR.exe
    O23 - Service: TELUS security services Firewall (RP_FWS) - TELUS - C:\Program Files\TELUS\TELUS security services\Fws.exe

    --
    End of file - 7587 bytes
     
    frankwebb,
    #12
  14. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, follow all steps (in that order) form my reply #5.
     
    broni,
    #13
  15. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    GMER Log

    GMER 1.0.15.14972 - http://www.gmer.net
    Rootkit scan 2009-07-07 19:32:41
    Windows 5.1.2600 Service Pack 3


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwClose [0xF6C572A0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwConnectPort [0xF6C5534E]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcess [0xF6C56FD0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateProcessEx [0xF6C57140]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSection [0xF6C57E10]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF6C578AE]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwCreateThread [0xF6C587D0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwDuplicateObject [0xF6C57450]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwLoadDriver [0xF6C54EA0]
    SSDT kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) ZwOpenFile [0xF8353030]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenProcess [0xF6C56DC0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwOpenSection [0xF6C57C3E]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwQuerySystemInformation [0xF6C58436]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwRequestWaitReplyPort [0xF6C55930]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwResumeThread [0xF6C58740]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetContextThread [0xF6C58B00]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetInformationFile [0xF6C590C0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSecurityObject [0xF6C53AF0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSetSystemInformation [0xF6C57A90]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSuspendThread [0xF6C586F0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwSystemDebugControl [0xF6C551B0]
    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF6D36DF0]
    SSDT \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) ZwWriteVirtualMemory [0xF6C57310]

    Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
    Code \SystemRoot\System32\DRIVERS\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9261 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DC8A9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254254 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[1840] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED320 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2151D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED2C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E40B6CB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E40B5FD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E40B668 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E40B4CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E40B530 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E40B72E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[2728] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E40B592 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Internet Explorer\iexplore.exe[1840] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1A7B] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
    AttachedDevice \Driver\Tcpip \Device\Ip rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp rp_skt32.sys (Radialpoint Filter/Radialpoint Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7775F2120911FED4E8D4B6F213B3547E\Usage@PDLite 988222688

    ---- EOF - GMER 1.0.15 ----
     
    frankwebb,
    #14
  16. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Malwarebytes Scan Log

    Malwarebytes' Anti-Malware 1.38
    Database version: 2383
    Windows 5.1.2600 Service Pack 3

    07/07/2009 8:40:51 PM
    mbam-log-2009-07-07 (20-40-46).txt

    Scan type: Quick Scan
    Objects scanned: 84248
    Time elapsed: 7 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ( "%1" /S) -> No action taken.
    HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1 ") -> No action taken.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    frankwebb,
    #15
  17. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    "No action taken" in Malwarebytes indicates, you didn't fix anything, or you posted the log from before the fixes.
    Post correct log, or re-run Malwarebytes.
     
    broni,
    #16
  18. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Pre Fix log

    Malwarebytes Log was before fixes were done. After fixes next scan showed:
    Malwarebytes' Anti-Malware 1.38
    Database version: 2383
    Windows 5.1.2600 Service Pack 3

    07/07/2009 9:27:30 PM
    mbam-log-2009-07-07 (21-27-30).txt

    Scan type: Quick Scan
    Objects scanned: 84606
    Time elapsed: 11 minute(s), 35 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
    frankwebb,
    #17
  19. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    OK. I need Superantispyware log, and fresh HJT log.
     
    broni,
    #18
  20. 2009/07/07
    frankwebb

    frankwebb Inactive Thread Starter

    Joined:
    2008/06/10
    Messages:
    14
    Likes Received:
    0
    Antispyware Conflicts

    Took 2 days, but finally figured that there was a conflict between the SuperAntiSpyware Free program and my Anti-virus/AntiSpyware program installed program from Telus.
     
    frankwebb,
    #19
  21. 2009/07/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yeah, I don't see any infection here, but I'd like to take a look at final HJT log.
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...