angstd
2010-04-09, 09:45
Running Windows 7
What's happening:
While browsing the web, several things all of a sudden ran on my computer:
* Something called Windows Defender Pro came up (It may have been called Windows Defender Pro 2). It runs some sort of "Scan"
* The action center popped up and showed that all of my items were disabled. I closed it and tried to get to the action center through the control panel and it would not let me. It would also not let me bring up windows defender or windows update settings
* A message came up saying that there were new windows update available.
* The task bar had a little indicator saying that a problem was detected.
* Different programs started closing
* Browsers coming up with different webpages.
These same things happen whenever I boot into windows.
None of the issues occurred in safe mode. In safe mode with networking, I downloaded spybot, ad aware, and tried to run a trend micro scan. When trying to get updates on spybot and trend micro, the programs throw an error saying that it failed to download the files. Ad Aware would not install.
Other notes:
* There were several unknown programs set to boot when I looked in the registry. One of the things I removed was to run notepad.exe with a dll called "ntload.dll". I deleted this item. Now when I boot into windows, it says it fails to load the dll. Web searches show the file is mallicious.
* Some file called MSOECLSR.dll was created at about the time the shit hit the fan. It was located in the system32 directory. I deleted it.
* I disabled every start up program from msconfig, spybot's list, and the registry start up run location.
I ran Hijackthis in safe mode and got the following log. Any help would be very much appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:09 AM, on 4/9/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\regedit.exe
C:\Windows\system32\config\systemprofile\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\Windows\system32\qiesp24.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\Windows\system32\qiesp24.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - Global Startup: HP Button Manager.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{666DB196-6687-434D-AA05-C3E23A2E804A}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBFE25F0-E274-4FF4-ABE2-DB1F1B97EE84}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD645012-AD19-4812-A68A-8FB9C0453992}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS2\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AB - Unknown owner - C:\Users\angstd\AppData\Local\Temp\AB.exe (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: ATYWIPLMSLODGK - Unknown owner - C:\Users\angstd\AppData\Local\Temp\ATYWIPLMSLODGK.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: MVIN - Unknown owner - C:\Users\angstd\AppData\Local\Temp\MVIN.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TIVRDI - Unknown owner - C:\Users\angstd\AppData\Local\Temp\TIVRDI.exe (file missing)
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
--
End of file - 6954 bytes
My computer has also gotten 2 BSDs while in safe mode.
What's happening:
While browsing the web, several things all of a sudden ran on my computer:
* Something called Windows Defender Pro came up (It may have been called Windows Defender Pro 2). It runs some sort of "Scan"
* The action center popped up and showed that all of my items were disabled. I closed it and tried to get to the action center through the control panel and it would not let me. It would also not let me bring up windows defender or windows update settings
* A message came up saying that there were new windows update available.
* The task bar had a little indicator saying that a problem was detected.
* Different programs started closing
* Browsers coming up with different webpages.
These same things happen whenever I boot into windows.
None of the issues occurred in safe mode. In safe mode with networking, I downloaded spybot, ad aware, and tried to run a trend micro scan. When trying to get updates on spybot and trend micro, the programs throw an error saying that it failed to download the files. Ad Aware would not install.
Other notes:
* There were several unknown programs set to boot when I looked in the registry. One of the things I removed was to run notepad.exe with a dll called "ntload.dll". I deleted this item. Now when I boot into windows, it says it fails to load the dll. Web searches show the file is mallicious.
* Some file called MSOECLSR.dll was created at about the time the shit hit the fan. It was located in the system32 directory. I deleted it.
* I disabled every start up program from msconfig, spybot's list, and the registry start up run location.
I ran Hijackthis in safe mode and got the following log. Any help would be very much appreciated.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:09 AM, on 4/9/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\regedit.exe
C:\Windows\system32\config\systemprofile\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\Windows\system32\qiesp24.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\Windows\system32\qiesp24.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Freecorder Toolbar - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - C:\Program Files\Freecorder\tbFree.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - Global Startup: HP Button Manager.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O13 - Gopher Prefix:
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{666DB196-6687-434D-AA05-C3E23A2E804A}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBFE25F0-E274-4FF4-ABE2-DB1F1B97EE84}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD645012-AD19-4812-A68A-8FB9C0453992}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS1\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CS2\Services\Tcpip\..\{5C9B6304-47DD-4836-B2CB-01A39D2D48A6}: NameServer = 93.188.162.190,93.188.161.156
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.190,93.188.161.156
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AB - Unknown owner - C:\Users\angstd\AppData\Local\Temp\AB.exe (file missing)
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: ATYWIPLMSLODGK - Unknown owner - C:\Users\angstd\AppData\Local\Temp\ATYWIPLMSLODGK.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\Windows\System32\LEXBCES.EXE
O23 - Service: MVIN - Unknown owner - C:\Users\angstd\AppData\Local\Temp\MVIN.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TIVRDI - Unknown owner - C:\Users\angstd\AppData\Local\Temp\TIVRDI.exe (file missing)
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
--
End of file - 6954 bytes
My computer has also gotten 2 BSDs while in safe mode.