PDA

View Full Version : Windows Security Redirect Malware Cannot Be Removed by Spybot


dubosegriffin
2010-06-24, 15:10
Greetings,

I read your instructions in the sticky post in this forum and have followed them exactly with no problems thus far in executing your instructions. I am now posting my dds file here for you. Spybot cannot remove my problems and it does not fully immunize.

The problem that I am having is exactly what is described by this person in this post: http://forums.spybot.info/showthread.php?p=366956#post366956

Thank you,
DuBose Griffin

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 7:55:15.85 on Thu 06/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2480 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Security Master AV *On-access scanning enabled* (Outdated) {42F410EA-CCDD-4AA3-90EA-520F48CBD65D}
FW: Security Master AV *enabled* {D3CE8C0E-407E-419F-A1C7-D17A9D98F44F}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
TCP: NameServer = 208.67.220.220,208.67.222.222
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 74.125.45.100 4-open-davinci.com
Hosts: 74.125.45.100 securitysoftwarepayments.com
Hosts: 74.125.45.100 privatesecuredpayments.com
Hosts: 74.125.45.100 secure.privatesecuredpayments.com
Hosts: 74.125.45.100 getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-6-23 218592]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2003-6-21 164048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2003-6-21 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2003-6-21 40384]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-6-23 112592]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2007-6-11 99248]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2009-4-24 576024]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2003-6-21 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2003-6-21 40384]
S2 gupdate1c9eef5f6d7680;Google Update Service (gupdate1c9eef5f6d7680);c:\program files\google\update\GoogleUpdate.exe [2009-6-16 133104]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-6-23 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-6-23 1142224]

=============== Created Last 30 ================

2010-06-24 02:38:37 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-06-24 02:38:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 02:38:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-24 02:38:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-24 02:38:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 02:22:37 882 ----a-w- c:\windows\RegSDImport.xml
2010-06-24 02:22:37 879 ----a-w- c:\windows\RegISSImport.xml
2010-06-24 02:22:37 767952 ----a-w- c:\windows\BDTSupport.dll
2010-06-24 02:22:37 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-06-24 02:22:37 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-06-24 02:22:37 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-06-24 02:22:37 131 ----a-w- c:\windows\IDB.zip
2010-06-24 02:22:37 1152444 ----a-w- c:\windows\UDB.zip
2010-06-24 02:14:54 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-06-24 02:14:54 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-06-24 02:14:47 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-06-24 02:14:47 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-06-24 02:14:47 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-06-24 02:14:47 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-06-24 02:14:39 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-06-24 02:14:39 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-06-24 02:14:23 0 d-----w- c:\program files\Spyware Doctor
2010-06-24 02:14:23 0 d-----w- c:\program files\common files\PC Tools
2010-06-24 02:14:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-06-24 02:14:23 0 d-----w- c:\docume~1\admini~1\applic~1\PC Tools
2010-06-24 01:45:30 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-06-24 01:44:40 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-24 01:44:04 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-22 03:55:16 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-22 03:55:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-06-22 03:50:23 0 d-----w- C:\logs
2010-06-22 02:23:11 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-06 08:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll
2010-03-31 04:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 04:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2003-06-18 12:24:39 94720 --sha-r- c:\windows\system32\lsasrvh.dll

============= FINISH: 7:56:08.89 ===============
Cypher
2010-06-27, 19:37
Hi and welcome to Safer Networking Forums, Sorry for the delay in answering your request for help the forum is really busy.
My name is Cypher, and I will be helping you with your malware problems.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Read Back up your files (http://windows.microsoft.com/en-us/windows7/Back-up-your-files)

please note the following important guidelines.

The instructions being given are for YOUR computer and system only!.
Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
If you don't know or understand something, please don't hesitate to ask.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
Absence of symptoms does not mean that everything is clear.
Please DO NOT run any other tools or scans whilst I am helping you.
Please DO NOT install any other software (or hardware) during the cleaning process.
Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
The logs from the tools we use can take some time to research so please be patient.


If you haven't done so already, please read this topic READ this Procedure BEFORE Requesting Assistance (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Next.


Malwarebytes Anti-Malware:


Launch the application, Check for Updates >> Perform Quick Scan.
When the scan is complete, click OK, then Show Results to view the results.
Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


Next.

RSIT (Random's System Information Tool)

Please download RSIT (http://images.malwareremoval.com/random/RSIT.exe) by random/random... and save it to your desktop.

Double click on RSIT.exe to run it.
Please read the disclaimer... click on Continue.
RSIT will start running. When done... 2 logs files...will be produced.
The first one, "log.txt", << will be maximized
The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)



Logs/Information to Post in your Next Reply


Malwarebytes log.
RSIT log.txt and info.txt contents.
Please give me an update on your computers performance.
Cypher
2010-06-29, 18:10
Hi do you still need help?
Cypher
2010-06-30, 20:00
This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.