Results 1 to 10 of 21

Thread: My PC is surfing the web without me :D

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Member
    Join Date
    May 2009
    Posts
    40

    Default My PC is surfing the web without me :D

    Last week, after scanning and removal of malware acquired a few days earlier (with MBAM and Spybot S&D), and neither program was identifying any more threats, I performed a "final" scan using MBAM (just to be sure). During that scan, I noticed that MBAM was scanning a large number of files in the sub-folders of "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\...". I had never noticed this location before and thought it strange that so many trash files would be there (esp. after using CCleaner). So, I opened "My Computer" and watched as new files appeared in the sub-folders of "C:\Documents and Settings\NetworkService\...", the types of files one would expect to see if one was surfing the web. Yet, I did not have a browser open.

    Despite what Microsoft Support told me (that this was normal and not to be worried about)...
    ... I still feel that my PC is too young to surf the web on his own.

    Thanks for your help.

    Below is the DDS:
    -------------------------------------------------------------

    DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
    Run by Dana at 4:57:57.14 on Sat 02/19/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.93 [GMT -7:00]


    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\downloads\TCPView\Tcpview.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Dana\Local Settings\Temporary Internet Files\Content.IE5\YAJTCQ7Y\dds[1].scr

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uSearch Bar =
    uStart Page = hxxp://google.com/
    BHO: AutorunsDisabled - No File
    BHO: Yahoo! IE Suggest - No File
    BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} -
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    StartupFolder: c:\docume~1\dana\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {59A861EE-32B3-42cd-8CCA-FC130EDF3A44}
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
    IE: {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - c:\program files\ultimatebet\UltimateBet.exe
    IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://ra.qwest.com/sdccommon/download/tgctlcm.cab
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
    DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
    DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.napster.com/client/setup.exe
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
    DPF: {63FA0A10-5AA8-449F-9C5B-C8853F697405} - hxxp://mediaplayer.walmart.com/installer/install.cab
    DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241209576118
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38013.4351041667
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - hxxp://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
    TCP: {1C4D6999-8C34-4831-9E85-397740327027} = 208.67.222.222,208.67.220.220
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\dana\applic~1\mozilla\firefox\profiles\e9buyb2s.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: XULRunner: {09574FAB-BD34-49B5-A2C4-6F9CB51FAA80} - c:\documents and settings\administrator.dbarker2\local settings\application data\{09574FAB-BD34-49B5-A2C4-6F9CB51FAA80}

    ============= SERVICES / DRIVERS ===============

    S2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-1-23 10384]
    S3 CallerIP;Visualware CallerIP;c:\program files\callerip\cip-nt.exe --> c:\program files\callerip\cip-nt.exe [?]
    S3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [2004-1-27 1025288]
    S3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [2003-4-8 820133]
    S4 IdcPHid;IdeaCom HID Touch Screen Driver (PS/2);c:\windows\system32\drivers\idcphid.sys --> c:\windows\system32\drivers\idcphid.sys [?]

    =============== Created Last 30 ================

    2011-02-17 17:19:33 -------- d-----w- c:\windows\system32\NtmsData
    2011-02-15 23:45:59 -------- d-----w- c:\program files\Microsoft Easy Assist

    ==================== Find3M ====================

    2006-07-03 11:11:44 774144 ----a-w- c:\program files\RngInterstitial.dll
    2003-08-27 21:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST340810A rev.3.39 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F1685C]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f1ca38]; MOV EAX, [0x82f1cab4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82F98AB8]
    3 CLASSPNP[0xF8636FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x82FAC968]
    5 ACPI[0xF85AD620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FACD98]
    \Driver\atapi[0x82F670D8] -> IRP_MJ_CREATE -> 0x82F1685C
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST340810A_______________________________3.39____#463532423356504c202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x82F166A2
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 5:01:50.20 ===============

  2. #2
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello and welcome to Safer Networking.

    I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

    Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

    Please be patient with me during this time.

    Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

  3. #3
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    OK.

    Btw, I was unable to post to this forum using the infected PC.

  4. #4
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

    Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
    • Please observe and follow these Forum Rules.
    • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
    • Please read the instructions carefully and follow them closely, in the order they are presented to you.
    • If you have any doubts or problems during the fix, please stop and ask.
    • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
    • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
    • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
    • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
    • If you do not reply within 3 days, this topic will be closed.

    If you are agreeable to the above, then everything should go smoothly . We may begin.

    --------------------

    Btw, I was unable to post to this forum using the infected PC.
    Maybe you will need to transfer some files between computers using USB drive in case you still cannot post, so lets protect the good one first. From the good machine, please do the following.

    Check USB storage devices / removable drives
    • Please download USBNoRisk© by bobby and save to your desktop. Click here.
    • Double click on usbnorisk.exe and wait a couple of seconds for the initial scan to finish.
    • Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
    • If there are more than one USB storage devices, please take note of the order they are connected.
    • When all the devices are plugged in and the scanning done, right click on any location in the white box where the results are shown and select Save log.
    • Click OK when prompted and a log will open. It is saved to C:\USBNoRisk\UsbNoRisk.txt.
    • Post the contents of that log in your reply and close the program.


    --------------------

    Please post back:
    1. the USBNoRisk log

  5. #5
    Member
    Join Date
    May 2009
    Posts
    40

    Default

    OK, USBNoRisk installed on good machine.
    Only connected 1 USB device (4GB)

    ---------------------------------------------------------------
    USBNoRisk 2.7 (28 December 2010) by bobby

    Started at 2/20/2011 3:28:09 AM

    Searching for connected USB Mass storage...
    ----------------------------------------
    ========================================

    Searching for other storage...
    ----------------------------------------
    C: {70b2502c-d63c-11df-8327-806e6f6e6963}
    D: {70b2502d-d63c-11df-8327-806e6f6e6963}
    ========================================


    Scanning fixed storage...
    ----------------------------------------

    No blocked files found on C:
    No Autorun.inf files found on C:
    No mountpoint found for C:
    No mountpoint found for 70b2502c-d63c-11df-8327-806e6f6e6963
    No Desktop.ini files found on C:
    ----------------------------------------

    No blocked files found on D:
    No Autorun.inf files found on D:
    No mountpoint found for D:
    No mountpoint found for 70b2502d-d63c-11df-8327-806e6f6e6963
    ----------------------------------------
    Desktop.ini found at D:\boot\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\hp\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\PRELOAD\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\RECOVERY\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\SOURCES\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\Windows\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------
    Desktop.ini found at D:\ contains interesting CLSID string
    ----------------------------------------
    [.ShellClassInfo]
    CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}

    [ShellvRTF]
    RTFPath="protect.ed"
    IconIndex=1

    [Language]
    default="protect.english"
    Arabic="protect.arabic"
    Bulgarian="protect.bulgarian"
    Catalan="protect.catalan"
    Chinese_HongKong="protect.chinese hong kong"
    Chinese_Simplified="protect.chinese simplified"
    Chinese_Traditional="protect.chinese traditional"
    Croatian="protect.croatian"
    Czech="protect.czech"
    Danish="protect.danish"
    Dutch="protect.dutch"
    Estonian="protect.estonian"
    English="protect.english"
    Finnish="protect.finnish"
    French="protect.french"
    German="protect.german"
    Greek="protect.greek"
    Hebrew="protect.hebrew"
    Hungarian="protect.hungarian"
    Italian="protect.italian"
    Japanese="protect.japanese"
    Korean="protect.korean"
    Latvian="protect.latvian"
    Lithuanian="Protect.lithuanian"
    Norwegian (Bokmål)="protect.norwegian"
    Polish="protect.polish"
    Portuguese="protect.portuguese"
    Portuguese_Brazilian="protect.portuguese brazilian"
    Romanian="protect.romanian"
    Russian="protect.russian"
    Serbian_Latin="protect.serbian latin"
    Slovak="protect.slovak"
    Slovenian="protect.slovenian"
    Spanish="protect.spanish"
    Swedish="protect.swedish"
    Thai="protect.thai"
    Turkish="protect.turkish"
    ----------------------------------------
    CLSID not found in registry
    ----------------------------------------

    ========================================
    Initial scan finished!
    ========================================


    New device connected at 2/20/2011 3:29:24 AM

    Scanning for connected USB mass storage...
    ----------------------------------------
    J: {4377fd62-3bf2-11e0-a90a-001e904a93df}
    Added J:
    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    Sanitized mountpoint for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================



    New device connected at 2/20/2011 3:29:37 AM

    Scanning for connected USB mass storage...
    ----------------------------------------

    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================



    New device connected at 2/20/2011 3:29:39 AM

    Scanning for connected USB mass storage...
    ----------------------------------------

    ========================================

    Scanning USB mass storage for files...
    ----------------------------------------
    No blocked files found on J:
    ----------------------------------------
    No Autorun.inf files found on J:
    No mountpoint found for 4377fd62-3bf2-11e0-a90a-001e904a93df
    ----------------------------------------

    No Desktop.ini files found on J:
    ----------------------------------------

    No mimics found on drive J:
    ----------------------------------------

    .lnk/.pif/.com/.scr files found on drive J:
    ========================================

  6. #6
    Security Expert- Emeritus
    Join Date
    Aug 2008
    Location
    South East Asia
    Posts
    725

    Default

    Hello JD the DJ ,

    Do this on the good computer.

    Run USBNoRisk script
    • Please start USBNoRisk by double clicking on the program.
    • Choose the Script tab.
    • Copy and paste the following text into it:
      Code:
      {4377fd62-3bf2-11e0-a90a-001e904a93df}
      protect:
    • Now, connect the USB storage device to the computer. If already connected, please click on the Run Script button at the bottom.
    • Close the program when done.


    --------------------

    Do all the following steps on the infected machine. If you cannot download at or post from the infected machine, then transfer the files through the other computer using the USB drive.

    When you ran DDS the first time, did you save Attach.txt? If yes, please post the contents of the log. Otherwise, run DDS again to get me the result.

    You have Malwarebytes' Anti-Malware (MBAM) on your machine. I wish to take a look at the most recent log file. Open MBAM and click on the Logs tab. Open the file at the bottom of the list and post the contents back here. If there is no log or you have yet to run MBAM, please let me know.

    --------------------

    Please close all programs and do not run any others before and during the Rootkit Unhooker scan. Do not use the computer for anything else until after the scan is completed.

    Please download Rootkit Unhooker and save it to your desktop. Click here.
    • Double click RKUnhookerLE.exe to run it.
    • Click the Report tab, then click Scan.
    • Ensure the following are checked (ticked):
      • Drivers
      • Stealth Code
      • Files
      • Code Hooks
    • Uncheck the rest, then click OK. An initial scan will be performed.
    • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
    • Wait until the scanner is done, then click on File at the pull down menu, followed by Save Report.
    • Save the report somewhere you can find it. Click Close to exit.
    • Copy the entire contents of the report and paste it in your next reply.


    You may get a warning about parasite detection. Please click OK to continue.

    --------------------

    Please post back:
    1. Attach.txt
    2. the last MBAM
    3. Rootkit Unhooker log

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •