TechSpot

Computer infected with malware that causes talking/ads to play when nothing open

Inactive
By Boojer
May 29, 2011
  1. My computer will start having Ads/talking/music when no programs are open. I did scan with malwarebytes and it deleted infected files, but it is still happening. It is not constant but comes and goes. Here are my logs:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6708

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    5/28/2011 9:56:53 PM
    mbam-log-2011-05-28 (21-56-53).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 219586
    Time elapsed: 25 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\system volume information\_restore{4e21ad8e-8e3c-4e84-aa70-86ae71324f29}\RP444\A0030231.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{4e21ad8e-8e3c-4e84-aa70-86ae71324f29}\RP444\A0030232.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{4e21ad8e-8e3c-4e84-aa70-86ae71324f29}\RP448\A0031466.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{4e21ad8e-8e3c-4e84-aa70-86ae71324f29}\RP448\A0031467.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
    c:\system volume information\_restore{4e21ad8e-8e3c-4e84-aa70-86ae71324f29}\RP448\A0031468.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-05-19.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\Harddisk0\DP(1)0x7e00-0x12a14b8200+1
    Install Date: 3/20/2010 1:56:19 PM
    System Uptime: 5/29/2011 7:03:01 PM (0 hours ago)
    .
    Motherboard: | | 4CoreDual-SATA2.
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPUSocket | 2992/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 37.226 GiB free.
    D: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP368: 3/1/2011 4:15:25 PM - System Checkpoint
    RP369: 3/2/2011 5:44:27 PM - System Checkpoint
    RP370: 3/3/2011 6:23:14 PM - System Checkpoint
    RP371: 3/4/2011 7:06:22 PM - System Checkpoint
    RP372: 3/5/2011 7:41:37 PM - System Checkpoint
    RP373: 3/6/2011 8:15:07 PM - System Checkpoint
    RP374: 3/7/2011 8:59:11 PM - System Checkpoint
    RP375: 3/9/2011 5:35:55 PM - System Checkpoint
    RP376: 3/10/2011 5:38:42 PM - System Checkpoint
    RP377: 3/11/2011 6:04:17 PM - System Checkpoint
    RP378: 3/12/2011 8:01:46 PM - System Checkpoint
    RP379: 3/13/2011 8:10:52 PM - System Checkpoint
    RP380: 3/14/2011 8:21:00 PM - System Checkpoint
    RP381: 3/15/2011 8:26:10 PM - System Checkpoint
    RP382: 3/15/2011 10:04:37 PM - Software Distribution Service 3.0
    RP383: 3/17/2011 8:34:29 AM - System Checkpoint
    RP384: 3/18/2011 5:46:45 PM - System Checkpoint
    RP385: 3/19/2011 6:19:26 PM - System Checkpoint
    RP386: 3/20/2011 7:00:38 PM - System Checkpoint
    RP387: 3/21/2011 4:35:11 PM - Installed TurboTax 2010 wrapper
    RP388: 3/21/2011 5:58:45 PM - Installed TurboTax 2010 wcaiper
    RP389: 3/22/2011 6:14:46 PM - System Checkpoint
    RP390: 3/23/2011 6:21:04 PM - System Checkpoint
    RP391: 3/24/2011 6:22:18 PM - System Checkpoint
    RP392: 3/25/2011 6:37:41 PM - System Checkpoint
    RP393: 3/26/2011 7:55:12 PM - System Checkpoint
    RP394: 3/27/2011 8:19:51 PM - System Checkpoint
    RP395: 3/28/2011 8:52:19 PM - System Checkpoint
    RP396: 3/30/2011 8:37:11 AM - System Checkpoint
    RP397: 3/31/2011 3:26:15 PM - System Checkpoint
    RP398: 4/1/2011 3:41:36 PM - System Checkpoint
    RP399: 4/2/2011 5:07:44 PM - System Checkpoint
    RP400: 4/3/2011 6:03:16 PM - System Checkpoint
    RP401: 4/4/2011 6:23:47 PM - System Checkpoint
    RP402: 4/5/2011 7:22:07 PM - System Checkpoint
    RP403: 4/6/2011 7:58:42 PM - System Checkpoint
    RP404: 4/7/2011 8:17:30 PM - System Checkpoint
    RP405: 4/8/2011 8:27:54 PM - System Checkpoint
    RP406: 4/9/2011 10:03:54 PM - System Checkpoint
    RP407: 4/11/2011 2:27:02 PM - System Checkpoint
    RP408: 4/12/2011 9:03:00 PM - System Checkpoint
    RP409: 4/13/2011 9:28:45 PM - System Checkpoint
    RP410: 4/14/2011 9:58:16 PM - System Checkpoint
    RP411: 4/16/2011 11:47:16 AM - System Checkpoint
    RP412: 4/23/2011 10:06:52 AM - System Checkpoint
    RP413: 4/24/2011 10:26:03 AM - System Checkpoint
    RP414: 4/25/2011 10:43:55 AM - System Checkpoint
    RP415: 4/26/2011 11:03:21 AM - System Checkpoint
    RP416: 4/27/2011 3:56:00 PM - System Checkpoint
    RP417: 4/28/2011 5:21:58 PM - System Checkpoint
    RP418: 4/29/2011 5:47:09 PM - System Checkpoint
    RP419: 4/30/2011 6:10:05 PM - System Checkpoint
    RP420: 5/1/2011 6:48:51 PM - System Checkpoint
    RP421: 5/2/2011 7:41:15 PM - System Checkpoint
    RP422: 5/3/2011 7:57:09 PM - System Checkpoint
    RP423: 5/5/2011 8:40:41 AM - System Checkpoint
    RP424: 5/6/2011 9:09:22 AM - System Checkpoint
    RP425: 5/7/2011 10:17:42 AM - System Checkpoint
    RP426: 5/8/2011 8:29:18 PM - System Checkpoint
    RP427: 5/9/2011 9:01:53 PM - System Checkpoint
    RP428: 5/10/2011 9:20:33 PM - System Checkpoint
    RP429: 5/12/2011 3:49:41 PM - System Checkpoint
    RP430: 5/13/2011 4:22:20 PM - System Checkpoint
    RP431: 5/14/2011 4:51:14 PM - System Checkpoint
    RP432: 5/15/2011 5:33:49 PM - System Checkpoint
    RP433: 5/16/2011 3:59:07 PM - Installed Windows XP Wdf01009.
    RP434: 5/16/2011 4:06:00 PM - Removed Roxio Media Manager
    RP435: 5/17/2011 4:13:23 PM - System Checkpoint
    RP436: 5/18/2011 4:56:35 PM - System Checkpoint
    RP437: 5/19/2011 5:26:51 PM - System Checkpoint
    RP438: 5/20/2011 7:03:56 PM - System Checkpoint
    RP439: 5/21/2011 7:11:29 PM - System Checkpoint
    RP440: 5/22/2011 7:36:24 PM - System Checkpoint
    RP441: 5/23/2011 7:40:47 PM - System Checkpoint
    RP442: 5/24/2011 8:12:00 PM - System Checkpoint
    RP443: 5/25/2011 8:38:09 PM - System Checkpoint
    RP444: 5/26/2011 5:49:33 PM - Restore Operation
    RP445: 5/26/2011 8:46:31 PM - Removed ATI Catalyst Control Center
    RP446: 5/26/2011 8:47:27 PM - Removed Bonjour
    RP447: 5/26/2011 10:23:40 PM - Software Distribution Service 3.0
    RP448: 5/28/2011 8:51:27 AM - System Checkpoint
    RP449: 5/29/2011 12:14:20 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    1300
    1300_Help
    1300Tour
    1300Trb
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.4
    AiO_Scan
    AIOMinimal
    AiOSoftware
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft Panorama Maker 4
    ATI - Software Uninstall Utility
    ATI AVIVO Codecs
    ATI Catalyst Control Center
    ATI Display Driver
    ATI Parental Control & Encoder
    ATI Problem Report Wizard
    Auslogics Disk Defrag
    AVG 2011
    BlackBerry Desktop Software 6.0.2
    Bullzip PDF Printer 7.1.0.1181
    Copy
    CreativeProjects
    Director
    DocProc
    Easy CD & DVD Creator 6
    Fax
    File Uploader
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 3.5
    HP PSC & OfficeJet 3.5
    HP Software Update
    hpmdtab
    HPSystemDiagnostics
    HydraVision
    InstantShare
    iSEEK AnswerWorks English Runtime
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes' Anti-Malware
    Memories Disc Creator 2.0
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft ActiveSync 3.7
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Forefront Client Security Antimalware Service
    Microsoft Forefront Client Security State Assessment Service
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Nikon Message Center
    Nikon Transfer
    Overland
    PhotoGallery
    Picture Control Utility
    Platform
    PrintScreen
    QFolder
    QuickProjects
    QuickTime
    Readme
    Realtek High Definition Audio Driver
    Roxio DVDMAX Player
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SkinsHP1
    SkinsHP2
    Spelling Dictionaries Support For Adobe Reader 9
    TrayApp
    TurboTax 2009
    TurboTax 2009 wcaiper
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wrapper
    TurboTax 2010
    TurboTax 2010 wcaiper
    TurboTax 2010 WinPerFedFormset
    TurboTax 2010 WinPerReleaseEngine
    TurboTax 2010 WinPerTaxSupport
    TurboTax 2010 wrapper
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    V CAST Music with Rhapsody
    VIA Platform Device Manager
    ViewNX
    WebFldrs XP
    WebReg
    Windows Media Format 11 runtime
    Windows Media Player 11
    .
    ==== Event Viewer Messages From Past Week ========
    .
    5/28/2011 6:28:53 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp ViaIde
    5/28/2011 11:41:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    5/28/2011 11:40:30 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cdudf_xp Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    5/28/2011 11:40:30 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 11:40:30 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 11:40:30 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 11:40:30 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 11:40:30 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    5/28/2011 11:40:26 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    5/28/2011 11:40:10 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    5/27/2011 6:30:11 PM, error: FcsSas [10006] - Forefront Client Security State Assessment Service policy applied with errors. Reverted to the following settings: Schedule Type: Interval Time: 12 Parameter:
    5/27/2011 6:25:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp
    .
    ==== End Of File ===========================
    .
    DDS (Ver_11-05-19.01) - NTFSx86
    Internet Explorer: 7.0.5730.13
    Run by Deanne Vicedo at 19:29:13 on 2011-05-29
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1535.1009 [GMT -7:00]
    .
    AV: Microsoft Forefront Client Security *Enabled/Outdated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Deanne Vicedo\Local Settings\Temporary Internet Files\Content.IE5\3CXMWM2V\dds[1].scr
    C:\WINDOWS\system32\WSCRIPT.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
    uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
    mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
    mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
    mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
    mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
    dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
    DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
    WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
    WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2007-2-7 18832]
    R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-6 73120]
    R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-8-7 67784]
    .
    =============== Created Last 30 ================
    .
    2011-05-29 01:21:20 -------- d-----w- c:\documents and settings\deanne vicedo\application data\Malwarebytes
    2011-05-29 01:21:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 01:21:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-05-29 01:21:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-29 01:09:49 -------- d-----w- c:\documents and settings\deanne vicedo\local settings\application data\Threat Expert
    2011-05-27 00:50:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-05-27 00:50:42 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-16 22:59:07 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2011-05-15 18:25:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    .
    ==================== Find3M ====================
    .
    2011-05-16 22:56:40 256 ----a-w- c:\windows\system32\pool.bin
    2011-03-07 05:33:50 692736 ------w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:45:07 434176 ------w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21:11 1857920 ------w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 19:29:55.01 ===============
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit scan 2011-05-29 19:27:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 WDC_WD800JB-00JJC0 rev.05.01C05
    Running: lgdxonec[1].exe; Driver: C:\DOCUME~1\DEANNE~1\LOCALS~1\Temp\awldapog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB818A000, 0x238E77, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3527F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E352777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3527BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E352703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E35273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E20178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3529F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WININET.dll!HttpAddRequestHeadersA 3D94632F 5 Bytes JMP 00B06B70
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WININET.dll!HttpAddRequestHeadersW 3D9AA4FD 5 Bytes JMP 00B06D70
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 00C2000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BF000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 00BE000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C0000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 00C1000A
    .text C:\Program Files\Internet Explorer\iexplore.exe[4008] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B4000A

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:124] 89863E7A
    Thread System [4:128] 89866008

    ---- EOF - GMER 1.0.15 ----
     
  2. Broni

    Broni Malware Annihilator Posts: 47,082   +259

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =====================================================================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    ==================================================================

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.