Jump to content

mamin

Members
 View Profile  See their activity

  • Posts

    3

  • Joined

  • Last visited

Reputation

0 Neutral
  1. mamin
    I was able to fix this issue buy running combix fix process. No other software able to remove spyware in my computer than combofix. Combofix rocks !
  2. mamin
    Hi, I have done following so far using process in link http://www.malwarebytes.org/forums/index.php?showtopic=9573 1) I was able to disable option using defogger 2) Run DDS. See attached file attach.zip. It has only attach.txt file since step 3 failed. 3) Try to run GMER Rootkit Scanner but computer is restarting before scan is completed, therefore not able to get ARK.txt file. Please help how do I run GMER Rootkis scanner successfully so I can attach this file as well Please see content of DDS.txt file here: ******************************************************************************** ************** DDS (Ver_09-12-01.01) - NTFSx86 Run by mamin at 22:03:30.75 on Tue 01/12/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1286 [GMT -5:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\dllhost.exe C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Apoint\Apntex.exe C:\Documents and Settings\mamin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\mamin\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://us.f557.mail.yahoo.com/ym/login?.rand=16l9o3punbe7s uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = localhost:9999 uSearchURL,(Default) = hxxp://www.google.com/keyword/%s BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: {DD3D8853-1593-3306-A18E-9640091A624E} - No File BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File EB: iOpus iMacros: {0483894e-2422-45e0-8384-021aff1af3cd} - c:\program files\imacros\imacros.dll EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [mapp2pruntime] rundll32.exe "c:\documents and settings\mamin\local settings\application data\mapp2pruntime\mapp2pruntime.dll", DllInit uRunOnce: [shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; iOpus-Web-Automation; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/world-soccer/en/" mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe mRun: [sonyPowerCfg] "c:\program files\sony\vaio power management\SPMgr.exe" mRun: [switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {0483894E-2422-45E0-8384-021AFF1AF3CD} - {0483894E-2422-45E0-8384-021AFF1AF3CD} - c:\program files\imacros\imacros.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL Trusted Zone: bayer.com\ctxnfpgh Trusted Zone: bayer.com\nfusepitt.pitts Trusted Zone: boingo.com\my Trusted Zone: bwcinema.com\www Trusted Zone: chase.com\banking Trusted Zone: chase.com\chaseonline Trusted Zone: chase.com\www Trusted Zone: payrollapp.com Trusted Zone: payrollapp2.com Trusted Zone: toyscamp.com\www Trusted Zone: yahoo.com\us.mg2.mail DPF: RemotePrintControlCab - hxxps://payrollapp.com/@57128e25-bfc9-4da2-9796-f1b16cc899b9/checkprintingassistant/RemotePrintControlCab.CAB DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1205516291484 DPF: {70E6CD54-8979-4977-9321-48DA55439F6C} - hxxp://support.persits.com/xupload/XUpload.ocx DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://support.persits.com/xupload/XUpload.ocx Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2007\HelpAsyncPluggableProtocol.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll Notify: avgrsstarter - avgrsstx.dll Notify: igfxcui - igfxdev.dll Notify: VESWinlogon - VESWinlogon.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll mASetup: Nitro PDF Professional - cscript //B "c:\program files\nitro pdf\professional\RemoveOldAddins.vbs" ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\mamin\applic~1\mozilla\firefox\profiles\qdkqam18.default\ FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/ FF - component: c:\documents and settings\mamin\application data\mozilla\firefox\profiles\qdkqam18.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\mamin\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-9 64288] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-18 333192] R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-3-11 28424] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-12 360584] R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-12 285392] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-8 236368] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-8 19160] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-9-1 226304] S0 wnwckh;wnwckh;c:\windows\system32\drivers\bdqyg.sys --> c:\windows\system32\drivers\bdqyg.sys [?] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328] S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2006-9-1 5120] S3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1562096] S3 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home\tomtom home\TomTomHOMEService.exe [2009-4-8 92008] S3 WinIP;WinIP;c:\program files\algenta\winip 4\winipservice.exe --> c:\program files\algenta\winip 4\WinIPservice.exe [?] S4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2007-12-13 50984] S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2008-3-11 1251720] =============== Created Last 30 ================ 2010-01-11 00:25:53 0 ----a-w- c:\documents and settings\mamin\defogger_reenable 2010-01-09 22:24:55 15880 ----a-w- c:\windows\system32\lsdelete.exe 2010-01-09 20:37:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys 2010-01-09 20:35:23 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9} 2010-01-09 20:34:53 0 d-----w- c:\program files\Lavasoft 2010-01-09 04:51:23 0 d-----w- c:\docume~1\mamin\applic~1\Malwarebytes 2010-01-09 04:51:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-09 04:51:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-01-09 04:51:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-01-09 04:51:11 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-09 04:43:55 195456 ------w- c:\windows\system32\MpSigStub.exe 2010-01-08 02:56:38 0 d-----w- c:\program files\TrendMicro ==================== Find3M ==================== 2009-12-05 14:45:49 70984 ----a-w- c:\documents and settings\mamin\g2mdlhlpx.exe 2009-11-12 06:01:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2009-11-02 01:04:22 1022488 ----a-w- c:\windows\dbplugin.exe 2009-10-29 07:45:38 916480 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll ============= FINISH: 22:05:45.73 =============== ******************************************************************************** ************** PLEASE SEE MALWAREBYTES LOG FILE HERE ******************************************************************************** ************** Malwarebytes' Anti-Malware 1.44 Database version: 3552 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/12/2010 9:36:14 PM mbam-log-2010-01-12 (21-36-14).txt Scan type: Quick Scan Objects scanned: 129369 Time elapsed: 8 minute(s), 22 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 10 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\mamin\Local Settings\Temp\bLVb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\mamin\Local Settings\Temp\iVhK.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\mamin\Local Settings\Temp\RBgP.exe (Trojan.Dropper) -> Quarantined and deleted successfully. ******************************************************************************** ********************************************* Please help how can I completely remove malware from my computer. No software is cathcing existing malware. Everytime i do google, link is redirecting to something else than what it suppose to. Attach.zip
  3. mamin
    Hi I am latest Malwarebyes installed but still it is not recognizing existing spyware in my computer. Whenever I visit any site it is showing baloon message that xx.xx.xx.xxx ip address is blocked. This is happing every minute means that some spyware is try to intrrupt my computer. If I disable malwarebytes and go to google.com and do any search. When I click on search reasult it it taking to different site than it should be. It means that some type of spyware still exist. I did run full scan using malwarebytes and it removed some spyware but not all. I did reboot computer as well Please please help...on how can I clean up my computer. It has to be a way to remove this croooks..
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.