Good day everyone,
let me start off by saying that this computer (a small acer laptop) was recently infected (how I honestly don't know) with the Antivir Solution Pro virus, but I believe I got all of it. Now, I am stuck with an annoying malware/adware kind of issue, which plays different soundbytes at random intervals, usually Congratulations You Won. I've checked the processes at the time of the sound playing, but I honestly couldn't identify which process it was. Do note that this happens with all programs closed as well, so it doesn't seem browser related. Also, less frequently (not sure if it is actually the same thing), popups appear through internet explorer, which I don't even use, advertising for things like emoticons.
I followed the 8 step guide, but after scanning with GMER, saving the log actually freezes the process, so I am unable to save the log. It didn't come up with any warnings tho. I tried without devices checked and in safe mode, for the record.
I have scanned the computer with my antivirus (Avira), MBAM, Superantispyware, Spybot S&D and immunized with Spybot aswell as spywareblaster. Apart from some tracking cookies, I came across nothing. Uploading a HJT log to one of those analysis websites told me some files were coolwebsearch files, but I figures I'd post here first. The scans I did were full scans, not quick scans, by the way. Well, here are all those logs requested in the 8 step, apart from the GMER as stated above. I have attached the attach file from DDS, because the post was too long.
--
mbam-log-2010-08-10 (16-09-35)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4363
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/10/2010 4:09:35 PM
mbam-log-2010-08-10 (16-09-35).txt
Scan type: Quick scan
Objects scanned: 136726
Time elapsed: 8 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by ihu at 22:18:57.65 on Tue 08/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.514 [GMT 2:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
svchost.exe 4
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
svchost.exe 4
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1108&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227717327062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ihu\applic~1\mozilla\firefox\profiles\o5x6izb9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startpagina.nl/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-28 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-28 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-28 56816]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-11-26 96856]
=============== Created Last 30 ================
2010-08-10 13:34:56 0 d-----w- c:\program files\Trend Micro
2010-08-02 20:09:02 293376 ------w- c:\windows\system32\browserchoice.exe
2010-07-30 20:11:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-07-30 19:27:45 0 d-----w- c:\windows\system32\XPSViewer
2010-07-30 19:26:52 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-30 19:26:52 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-30 19:26:52 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-30 19:26:52 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-30 19:26:52 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-30 19:26:51 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-30 19:26:51 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-30 19:26:51 0 d-----w- C:\611901af9b6ea6ebfbdf
2010-07-30 19:17:37 0 d-sh--w- c:\documents and settings\ihu\IETldCache
2010-07-30 18:44:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-30 18:44:11 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-30 18:44:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-30 18:44:10 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-30 18:44:09 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-30 18:44:09 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-30 18:44:09 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-30 18:43:55 0 d-----w- c:\windows\ie8updates
2010-07-30 18:43:46 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-30 18:40:06 0 dc-h--w- c:\windows\ie8
2010-07-30 18:04:59 0 d-----w- c:\docume~1\ihu\applic~1\SafeReturner
2010-07-30 18:04:53 0 d-----w- c:\program files\Safe Returner
2010-07-30 17:49:07 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-30 17:30:25 0 d-----w- c:\program files\CCleaner
2010-07-30 15:37:45 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-30 15:37:45 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-30 15:28:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-30 14:58:22 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-07-30 14:58:21 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-07-30 14:58:20 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-30 14:38:42 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-30 14:30:57 0 d-----w- c:\windows\system32\PreInstall
2010-07-30 04:07:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-30 04:07:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-30 04:01:44 0 d-----w- c:\program files\SpywareBlaster
2010-07-30 03:59:27 0 d-s---w- C:\ComboFix
2010-07-30 03:54:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-30 03:54:53 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-30 03:54:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-30 03:18:53 0 d-sha-r- C:\cmdcons
2010-07-30 03:17:00 77312 ----a-w- c:\windows\MBR.exe
2010-07-30 03:16:59 98816 ----a-w- c:\windows\sed.exe
2010-07-30 03:16:59 256512 ----a-w- c:\windows\PEV.exe
2010-07-30 03:16:59 161792 ----a-w- c:\windows\SWREG.exe
2010-07-30 02:35:57 0 d-----w- c:\docume~1\ihu\applic~1\SUPERAntiSpyware.com
2010-07-30 02:35:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-30 02:35:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-28 14:59:57 0 d-----w- c:\docume~1\ihu\applic~1\Malwarebytes
2010-07-28 14:59:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 14:59:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 14:59:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-28 14:59:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 14:10:58 0 d-----w- c:\windows\pss
==================== Find3M ====================
2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-11-27 05:09:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat
============= FINISH: 22:20:02.39 ===============
--
Thanks in advance!
let me start off by saying that this computer (a small acer laptop) was recently infected (how I honestly don't know) with the Antivir Solution Pro virus, but I believe I got all of it. Now, I am stuck with an annoying malware/adware kind of issue, which plays different soundbytes at random intervals, usually Congratulations You Won. I've checked the processes at the time of the sound playing, but I honestly couldn't identify which process it was. Do note that this happens with all programs closed as well, so it doesn't seem browser related. Also, less frequently (not sure if it is actually the same thing), popups appear through internet explorer, which I don't even use, advertising for things like emoticons.
I followed the 8 step guide, but after scanning with GMER, saving the log actually freezes the process, so I am unable to save the log. It didn't come up with any warnings tho. I tried without devices checked and in safe mode, for the record.
I have scanned the computer with my antivirus (Avira), MBAM, Superantispyware, Spybot S&D and immunized with Spybot aswell as spywareblaster. Apart from some tracking cookies, I came across nothing. Uploading a HJT log to one of those analysis websites told me some files were coolwebsearch files, but I figures I'd post here first. The scans I did were full scans, not quick scans, by the way. Well, here are all those logs requested in the 8 step, apart from the GMER as stated above. I have attached the attach file from DDS, because the post was too long.
--
mbam-log-2010-08-10 (16-09-35)
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4363
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/10/2010 4:09:35 PM
mbam-log-2010-08-10 (16-09-35).txt
Scan type: Quick scan
Objects scanned: 136726
Time elapsed: 8 minute(s), 46 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
--
DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by ihu at 22:18:57.65 on Tue 08/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.514 [GMT 2:00]
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
svchost.exe 4
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
svchost.exe 4
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\My Documents\Downloads\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=1108&m=aoa150
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1227717327062
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ihu\applic~1\mozilla\firefox\profiles\o5x6izb9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.startpagina.nl/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-11-28 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-11-28 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-11-28 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-28 56816]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [2008-5-5 254976]
S1 SBRE;SBRE;\??\c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-11-26 96856]
=============== Created Last 30 ================
2010-08-10 13:34:56 0 d-----w- c:\program files\Trend Micro
2010-08-02 20:09:02 293376 ------w- c:\windows\system32\browserchoice.exe
2010-07-30 20:11:22 0 d-----w- c:\docume~1\alluse~1\applic~1\Sunbelt
2010-07-30 19:27:45 0 d-----w- c:\windows\system32\XPSViewer
2010-07-30 19:26:52 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-07-30 19:26:52 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-07-30 19:26:52 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-07-30 19:26:52 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-07-30 19:26:52 117760 ------w- c:\windows\system32\prntvpt.dll
2010-07-30 19:26:51 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-07-30 19:26:51 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-07-30 19:26:51 0 d-----w- C:\611901af9b6ea6ebfbdf
2010-07-30 19:17:37 0 d-sh--w- c:\documents and settings\ihu\IETldCache
2010-07-30 18:44:12 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-07-30 18:44:11 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-07-30 18:44:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-07-30 18:44:10 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-07-30 18:44:09 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-30 18:44:09 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-07-30 18:44:09 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-07-30 18:43:55 0 d-----w- c:\windows\ie8updates
2010-07-30 18:43:46 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-07-30 18:40:06 0 dc-h--w- c:\windows\ie8
2010-07-30 18:04:59 0 d-----w- c:\docume~1\ihu\applic~1\SafeReturner
2010-07-30 18:04:53 0 d-----w- c:\program files\Safe Returner
2010-07-30 17:49:07 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-30 17:30:25 0 d-----w- c:\program files\CCleaner
2010-07-30 15:37:45 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-07-30 15:37:45 272128 ------w- c:\windows\system32\drivers\bthport.sys
2010-07-30 15:28:46 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-07-30 14:58:22 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-07-30 14:58:21 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-07-30 14:58:20 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-07-30 14:38:42 2560 ------w- c:\windows\system32\xpsp4res.dll
2010-07-30 14:30:57 0 d-----w- c:\windows\system32\PreInstall
2010-07-30 04:07:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-30 04:07:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-30 04:01:44 0 d-----w- c:\program files\SpywareBlaster
2010-07-30 03:59:27 0 d-s---w- C:\ComboFix
2010-07-30 03:54:53 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-30 03:54:53 215920 ----a-w- c:\windows\system32\muweb.dll
2010-07-30 03:54:53 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-07-30 03:18:53 0 d-sha-r- C:\cmdcons
2010-07-30 03:17:00 77312 ----a-w- c:\windows\MBR.exe
2010-07-30 03:16:59 98816 ----a-w- c:\windows\sed.exe
2010-07-30 03:16:59 256512 ----a-w- c:\windows\PEV.exe
2010-07-30 03:16:59 161792 ----a-w- c:\windows\SWREG.exe
2010-07-30 02:35:57 0 d-----w- c:\docume~1\ihu\applic~1\SUPERAntiSpyware.com
2010-07-30 02:35:57 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-30 02:35:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-28 14:59:57 0 d-----w- c:\docume~1\ihu\applic~1\Malwarebytes
2010-07-28 14:59:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 14:59:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 14:59:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-28 14:59:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 14:10:58 0 d-----w- c:\windows\pss
==================== Find3M ====================
2008-08-15 17:51:40 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-11-27 05:09:15 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112620081127\index.dat
============= FINISH: 22:20:02.39 ===============
--
Thanks in advance!