Results 1 to 3 of 3

Thread: trojan - malware - crapware

  1. #1
    Junior Member
    Join Date
    Sep 2010
    Posts
    1

    Default trojan - malware - crapware

    Here we go. About two weeks ago, I contratced malware/scarware/virus/poop. It was a security scam, and I spent about 2 weeks visiting various forums, downloading and using Spybot and Ad-aware - I thought I was getting somewhere but alas, here I am. Problems still include:

    -unwanted, random second launches of IE to the dumbest places
    - consistent " Micorsoft Secuirty Diasbled" findings from daily spybot scan as well as statcounter. I have tried secure shredder on internet cache files, cookies, temp, I have went into almost everywhere and opened the daye created detail, searched for weirdness/entered about 100 exe and dll file names into search bar to see what is out there. I am growing weary.

    Windows wasn't shutting down (it does now fine). Windows was super slow uopening (it is fine now). I now know tons about cache, regedit, task managers, registries, F8 safe mode, event viewers etc. - up from knowing zero 2 weeks ago. I want this crap off of here...need help.

    Requested logs below. Thanks in advance.

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Walkers at 14:16:27.26 on Tue 09/07/2010
    Internet Explorer: 7.0.5730.11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1987 [GMT -4:00]

    AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Walkers\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Bar = hxxp://www.google.com/ie
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.google.com/ig
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
    mRun: [P17Helper] Rundll32 P17.dll,P17Helper
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
    DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
    TCP: {8F3E0E31-9994-44AC-9AEF-F7B8D88875E7} = 205.152.144.23,205.152.37.23
    Filter: text/html - {c928d358-c1f6-4b52-baa4-121477af32e3} -
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Notify: igfxcui - igfxdev.dll
    Notify: __c00853E - c:\windows\system32\__c00853E.dat
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
    LSA: Notification Packages = scecli c:\windows\system32\nejupate.dll

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-19 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]
    S1 Cdudf;Cdudf;c:\windows\system32\drivers\CDUDF.SYS [2004-11-28 221504]
    S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-12-27 18560]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
    S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2010-2-1 627072]

    =============== Created Last 30 ================

    2010-09-06 14:26:14 0 d--h--w- c:\windows\PIF
    2010-09-03 18:54:00 0 d-----w- c:\program files\Spybot - Search & Destroy
    2010-09-03 18:54:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-09-01 00:47:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-19 19:23:54 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-08-19 14:42:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-08-19 14:41:18 0 d-----w- c:\program files\Lavasoft
    2010-08-19 14:13:21 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{ECC164E0-3133-4C70-A831-F08DB2940F70}
    2010-08-18 19:59:32 0 d-----w- c:\windows\PRAGMAirtfnntpqd
    2010-08-09 13:01:57 0 d-----w- c:\windows\7E7D778E121D4BBDBA29FAA81B9FBD8C.TMP

    ==================== Find3M ====================

    2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-23 12:06:51 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
    2010-06-23 12:06:51 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
    2010-06-21 15:27:11 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 15:12:57 634656 ----a-w- c:\windows\system32\dllcache\iexplore.exe
    2010-06-17 15:11:25 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:45 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2008-09-05 12:43:10 13345 ----a-w- c:\program files\common files\tekoliv._dl
    2008-09-05 12:43:10 13209 ----a-w- c:\program files\common files\wahof._dl
    2006-04-06 23:58:11 604 ---ha-w- c:\program files\STLL Notifier
    2005-12-22 18:13:41 498534 --sh--w- c:\windows\system32\pqtwa.bak1
    2006-01-14 15:14:10 461004 --sh--w- c:\windows\system32\pqtwa.bak2
    2008-11-19 01:52:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008111820081119\index.dat

    ============= FINISH: 14:17:58.71 ===============

  2. #2
    Security Expert LDTate's Avatar
    Join Date
    Oct 2005
    Location
    Missouri, USA
    Posts
    99

    Default




    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

    Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


    Vista and Windows 7 users:
    1. These tools MUST be run from the executable. (.exe) every time you run them
    2. With Admin Rights (Right click, choose "Run as Administrator")


    Stay with this topic until I give you the all clean post.

    You might want to print these instructions out.

    I suggest you do this:

    XP Users

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Uncheck "Hide file extensions for known file types."
    Under the "Hidden files" folder, select "Show hidden files and folders."
    Uncheck "Hide protected operating system files."
    Click Apply, and then click OK.


    Vista Users

    To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

    Close all programs so that you are at your desktop.
    Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

    Click on the Control Panel menu option.
    When the control panel opens you can either be in Classic View or Control Panel Home view:

    If you are in the Classic View do the following:
    Double-click on the Folder Options icon.
    Click on the View tab.


    If you are in the Control Panel Home view do the following:

    Click on the Appearance and Personalization link.
    Click on Show Hidden Files or Folders.
    Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    Remove the checkmark from the checkbox labeled Hide extensions for known file types.
    Remove the checkmark from the checkbox labeled Hide protected operating system files.



    Please do not delete anything unless instructed to.


    We've been seeing some Java infections lately.
    Go here and follow the instructions to clear your Java Cache


    Next:

    Please download ATF Cleaner by Atribune.
    Download - ATF Cleaner»
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.[/list]If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.


    It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

    Next:

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Then click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.



    Also please describe how your computer behaves at the moment.


    Please don't attach the scans / logs, use "copy/paste". .

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    walkerc7 as it has been four days or more since your last post, and the helper assisting you posted a response to which you did not reply, your topic will not be re-opened. If you still require help, please start a new topic and include a DDS log with a link to your previous thread.

    Please do not add any logs that might have been requested previously, you would be starting fresh.

    Applies only to the original poster, anyone else with similar problems please start your own topic.

    Thank you LDTate.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •