1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved malware removal help

Discussion in 'Malware and Virus Removal Archive' started by oj0sverdes, 2010/03/09.

  1. 2010/03/09
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    [Resolved] malware removal help

    i would greatly appreciate some help removing suspected malware on my computer...i purchased it off a friend roughly 5 years ago, and as of late its started to run really really slow, it was suggested that i try malware removal first before attempting to re-format it....any help is appreciated
     
    oj0sverdes,
    #1
  2. 2010/03/09
    wildfire

    wildfire Getting Old

    Joined:
    2008/04/21
    Messages:
    4,649
    Likes Received:
    124
    I believe I also asked you to read THIS LINK and follow directions ;)

    For malware analyst previous thread is here.

    As indicated at the start of this forum, please *** READ THIS BEFORE POSTING IN THIS FORUM *** then post the requested logs in this thread.

    NOTES:
    When posting the logs ensure word wrap is switched off (in notepad Uncheck Format->Word Wrap) as this makes them difficult to read.

    Be aware that only Malware analysts will advise and they are often busy. Your post will be taken on a first come first served basis but it may take a while before you receive a reply.
     
    wildfire,
    #2


  3. to hide this advert.

  4. 2010/03/09
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    DDS (Ver_09-12-01.01) - NTFSx86
    Run by john at 14:06:03.37 on Tue 03/09/2010
    Internet Explorer: 6.0.2600.0000
    Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.1007.658 [GMT -5:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\Program Files\RegistrySmart\RegistrySmart.exe
    C:\DOCUME~1\john\LOCALS~1\Temp\Setup_build6_1000241(2).exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\john\Desktop\dds(2).scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.steelers.com/
    uSearch Bar = hxxp://safesearch.cyberdefender.com/smallsearch.html
    uURLSearchHooks: H - No File
    uURLSearchHooks: FCToolbarURLSearchHook Class: {9e5c43ed-48da-4692-b3ff-1e9ca33259a0} - c:\program files\pittsburgh steelers toolbar\Helper.dll
    BHO: Freecause Toolbar BHO: {db50c8a1-3319-44f7-9b85-0fc709fe010d} - c:\program files\pittsburgh steelers toolbar\Toolbar.dll
    TB: Pittsburgh Steelers Toolbar: {cde29804-daec-4232-8b4b-21d5ffab4a16} - c:\program files\pittsburgh steelers toolbar\Toolbar.dll
    TB: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - No File
    EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SansaDispatch] c:\documents and settings\john\application data\sandisk\sansa updater\SansaDispatch.exe
    uRun: [RegistrySmart] c:\program files\registrysmart\RegistrySmart.exe -boot
    uRun: [jqjkaerm] c:\documents and settings\john\local settings\application data\bvokbh\bqwksysguard.exe
    uRunOnce: [MCATCH] c:\docume~1\john\locals~1\temp\Setup_build6_1000241(2).exe /cs:1
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [jqjkaerm] c:\documents and settings\john\local settings\application data\bvokbh\bqwksysguard.exe
    IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\c34e8fi1.default\
    FF - prefs.js: browser.startup.homepage - hxxp://steelers.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.yahoo.com/
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    ============= SERVICES / DRIVERS ===============

    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-24 24652]
    S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-3 64160]
    UnknownUnknown CDAVFS;CDAVFS; [x]

    =============== Created Last 30 ================

    2010-03-09 18:55:48 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
    2010-03-09 18:55:48 0 d-----w- c:\program files\Belarc

    ==================== Find3M ====================


    ============= FINISH: 14:06:10.45 ===============

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/2/2009 6:39:15 PM
    System Uptime: 3/9/2010 10:08:24 AM (4 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P4VP-MX
    Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | CPU 1 | 2398/133mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 66.04 GiB free.
    D: is CDROM ()
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
    Description: Universal Serial Bus (USB) Controller
    Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&267A616A&0&83
    Manufacturer: VIA
    Name: Universal Serial Bus (USB) Controller
    PNP Device ID: PCI\VEN_1106&DEV_3104&SUBSYS_80A11043&REV_82\3&267A616A&0&83
    Service:

    ==== System Restore Points ===================

    RP70: 3/9/2010 10:57:50 AM - System Checkpoint

    ==== Installed Programs ======================

    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    AIM 6
    Apple Software Update
    Belarc Advisor 8.1
    Bonjour
    KODAK Gallery Upload Software
    Mozilla Firefox (3.0.11)
    MSXML 6.0 Parser
    Pittsburgh Steelers Toolbar
    RegCure 1.5.2.7
    RegistrySmart
    S3Display
    S3Gamma2
    S3Info2
    S3Overlay
    Safari
    Sansa Updater
    Viewpoint Media Player
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows XP Hotfix - KB842773

    ==== End Of File ===========================
     
    oj0sverdes,
    #3
  5. 2010/03/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please, uninstall RegistrySmart.
    Registry tools are not recommended, as they don't bring any gains, however, on the other hand, they can cause serious damage to your computer integrity.

    I don't see any antivirus program running.
    Please, download and install one of these:

    - Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
    - Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html

    - free Comodo Internet Security (firewall + AV): http://www.personalfirewall.comodo.com/
    NOTE. During installation, Comodo will also allow you to install AV only, or firewall only, if you prefer to combine one Comodo product with some other product.

    If you decide to install Avast, or Avira, make sure, Windows firewall is turned on, or use Comodo firewall..
    If you decide to install Comodo Internet Security, or just Comodo firewall, make sure, Windows firewall is turned off.

    IMPORTANT! Make sure, you use only ONE antivirus, and ONE firewall.

    After installation, update the program and run full scan.

    ===============================================================

    When done....

    Print these instructions out.

    NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

    ***VERY IMPORTANT! Make sure, you update Malwarebytes before running the scans.***


    STEP 1. Download Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    RESTART COMPUTER!

    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    RESTART COMPUTER

    STEP 3. Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackThis log.
    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
    Do NOT attempt to "fix" anything!


    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2010/03/10
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.44
    Database version: 3845
    Windows 5.1.2600
    Internet Explorer 6.0.2600.0000

    3/10/2010 12:43:40 AM
    mbam-log-2010-03-10 (00-43-40).txt

    Scan type: Quick Scan
    Objects scanned: 128031
    Time elapsed: 4 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 3
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\registrysmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jqjkaerm (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\john\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Delete on reboot.
    C:\Documents and Settings\john\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Delete on reboot.
    C:\Documents and Settings\john\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\john\Application Data\RegistrySmart\Log\2010 Mar 09 - 10_11_00 AM_514.log (Rogue.RegistrySmart) -> Delete on reboot.
    C:\Documents and Settings\john\Application Data\RegistrySmart\Registry Backups\2009-05-29_21-48-17.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-03-10 01:09:22
    Windows 5.1.2600
    Running: l03n7h97.exe; Driver: C:\DOCUME~1\john\LOCALS~1\Temp\axtdypog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF5D52C56]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF5D52B12]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF5D530C6]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF5D52FF0]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF5D526E8]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF5D52BEC]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF5D52628]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF5D5268C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF5D52D0C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF5D53194]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF5D52CCC]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF5D52E4C]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF5D5F4FE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF5D5F322]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF5D5F45C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]
    .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 804FC688 4 Bytes [56, 2C, D5, F5] {PUSH ESI; SUB AL, 0xd5; CMC }
    .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 804FC6C8 4 Bytes [12, 2B, D5, F5] {ADC CH, [EBX]; AAD 0xf5}
    .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 804FC720 4 Bytes [C6, 30, D5, F5]
    .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 804FC728 4 Bytes [F0, 2F, D5, F5]
    .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 21C 804FC734 1 Byte [E8]
    .text ...
    PAGE ntoskrnl.exe!ObInsertObject 80570F3E 5 Bytes JMP F5D5C972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!NtCreateSection 805711D5 7 Bytes JMP F5D5F326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwCreateProcessEx 80580346 7 Bytes JMP F5D5F502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ZwLoadDriver 805A74A9 7 Bytes JMP F5D5F460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntoskrnl.exe!ObMakeTemporaryObject 805B6C56 5 Bytes JMP F5D5B4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF740A5F0]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00510002
    IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00510000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    ---- EOF - GMER 1.0.15 ----

    ***the link for step no.3 was no good when typed i get "Content Encoding Error













    The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.
     
    oj0sverdes,
    #5
  7. 2010/03/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #6
  8. 2010/03/10
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:20:50 AM, on 3/10/2010
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: FCToolbarURLSearchHook Class - {9e5c43ed-48da-4692-b3ff-1e9ca33259a0} - C:\Program Files\Pittsburgh Steelers Toolbar\Helper.dll
    O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 3232 bytes
     
    oj0sverdes,
    #7
  9. 2010/03/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ( "drive-by-install ") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

    ================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

    Post fresh HijackThis log as well.
     
    broni,
    #8
  10. 2010/03/11
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Thursday, March 11, 2010
    Operating system: Microsoft Windows XP Professional (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Thursday, March 11, 2010 07:39:57
    Records in database: 3765136
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 19274
    Threats found: 0
    Infected objects found: 0
    Suspicious objects found: 0
    Scan duration: 00:37:55

    No threats found. Scanned area is clean.

    Selected area has been scanned.
     
    oj0sverdes,
    #9
  11. 2010/03/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Post fresh HJT log, please.
     
    broni,
    #10
  12. 2010/03/11
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:17:56 PM, on 3/11/2010
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Java\jre6\bin\jucheck.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: FCToolbarURLSearchHook Class - {9e5c43ed-48da-4692-b3ff-1e9ca33259a0} - C:\Program Files\Pittsburgh Steelers Toolbar\Helper.dll
    O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 3607 bytes
     
    oj0sverdes,
    #11
  13. 2010/03/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

    =================================================================

    Print this post out, since you won't have an access to it, at some point.

    1. Open HijackThis.

    2. Close all windows, except for HijackThis.

    3. Put checkmarks next to the following HijackThis entries:

    R3 - URLSearchHook: (no name) - - (no file)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE


    4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


    5. Click on Fix checked button.

    6. Restart computer.

    7. Post new HijackThis log.
     
    broni,
    #12
  14. 2010/03/11
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:53:51 PM, on 3/11/2010
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 3170 bytes
     
    oj0sverdes,
    #13
  15. 2010/03/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try one more time to checkmark and fix the following entry:
    R3 - URLSearchHook: (no name) - - (no file)
    Post fresh HJT log.
     
    broni,
    #14
  16. 2010/03/11
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:19:16 AM, on 3/12/2010
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.steelers.com/
    O2 - BHO: FCTBPos00Pos - {DB50C8A1-3319-44F7-9B85-0FC709FE010D} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Pittsburgh Steelers Toolbar - {CDE29804-DAEC-4232-8B4B-21D5FFAB4A16} - C:\Program Files\Pittsburgh Steelers Toolbar\Toolbar.dll
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\john\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 3053 bytes
     
    oj0sverdes,
    #15
  17. 2010/03/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is clean :)

    1. Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore ".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    [SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
    broni,
    #16
  18. 2010/03/12
    oj0sverdes

    oj0sverdes Inactive Thread Starter

    Joined:
    2006/12/07
    Messages:
    69
    Likes Received:
    0
    thanks! computer is working better than when i got it from my pal...should i delete the programs i downloaded onto my desktop (hijackthis,malwarebytes, etc. etc) or leave there for future use?(hopefully there wont be a need) thanks again!
     
    oj0sverdes,
    #17
  19. 2010/03/12
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Very good :)
    Keep Malwarebytes and run occasional scans.
    Run TFC weekly.
    All others can go.

    Happy surfing :)
     
    broni,
    #18

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...