TechSpot

Rogue spy eraser help

Inactive
By pw2525
Mar 13, 2012
Topic Status:
Not open for further replies.
  1. Hello my daughter told me about this wonderful place and the great help she got. My computer was ready to be tossed out because 1 click took 10 mins to finished. My daughter told me maybe to try safe mode for the 5 steps first as I could not after 12hrs get any downloads to work. The 1st scan was in safe mode but I cant find it so I started over. the first time said it found 4 itemd rouge something I am searching for that log.Thank you for your help.

    malware log
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.12.07

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Owner :: PATRICIA-A688A9 [administrator]

    3/13/2012 7:34:11 AM
    mbam-log-2012-03-13 (07-34-11).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 267194
    Time elapsed: 56 minute(s), 53 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
  2. pw2525

    pw2525 TS Rookie Topic Starter

    gmer log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-12 22:48:20
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.8.16
    Running: ndg092ph.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugldakod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xF8D4A110]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0xF8D4B9F0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xF8D4AF80]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateKey [0xF8D49DB0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xF8D4BD10]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xF8D4C810]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xF8D4BF70]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0xF8D4C400]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xF8D49870]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteKey [0xF8D4A9C0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteValueKey [0xF8D4AB30]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDuplicateObject [0xF8D49980]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xF8D4B1F0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenProcess [0xF8D4AD00]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xF8D493C0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenThread [0xF8D49FC0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0xF8D4B450]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xF8D4BB80]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSetValueKey [0xF8D4A800]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateProcess [0xF8D4A6D0]
    SSDT \SystemRoot\system32\drivers\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0xF8D4AE50]

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{09CE2E7A-957E-4F21-83D1-F749DEC2D867}@NTEContextList 0x00000003?

    ---- EOF - GMER 1.0.15 ----
  3. pw2525

    pw2525 TS Rookie Topic Starter

    DDS LOG

    .
    DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702
    Run by Administrator at 22:50:05 on 2012-03-12
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.18 [GMT -4:00]
    .
    AV: Webroot Internet Security Essentials *Enabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
    FW: Webroot Internet Security Essentials *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Webroot\Security\Current\plugins\antispam\wrhkisvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: WebrootBHO Class: {d93ec24d-8741-4d41-b83d-a5793b998416} - c:\program files\webroot\security\current\plugins\browserextension\WebrootBHO.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Webroot Browser Helper Object: {e08861fe-8847-4b2a-8ec2-08edb20e4020} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Webroot Toolbar: {d84a64a0-f2b2-4975-b264-3a3bce8d57d6} - c:\program files\webroot\security\current\products\wise\toolbar\LPBar.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
    mRun: [igfxtray] "c:\windows\system32\igfxtray.exe"
    mRun: [igfxhkcmd] "c:\windows\system32\hkcmd.exe"
    mRun: [igfxpers] "c:\windows\system32\igfxpers.exe"
    mRun: [SoundMAXPnP] "c:\program files\analog devices\core\smax4pnp.exe"
    mRun: [RealTray] "c:\program files\real\realplayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    mRun: [WebrootTrayApp] "c:\program files\webroot\security\current\framework\WRTray.exe"
    mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291996372027
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{09CE2E7A-957E-4F21-83D1-F749DEC2D867} : DhcpNameServer = 192.168.0.1
    Notify: igfxcui - igfxdev.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 pwipf6;pwipf6;c:\windows\system32\drivers\pwipf6.sys [2011-4-4 122696]
    R3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192cu.sys [2011-4-4 907624]
    S2 SSFMONM;ssfmonm;c:\windows\system32\drivers\ssfmonm.sys [2011-4-4 45584]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-12 40776]
    .
    =============== Created Last 30 ================
    .
    2012-03-13 01:52:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2012-03-13 01:50:13 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
    2012-03-13 01:49:57 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
    2012-03-13 01:49:56 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-13 01:49:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-13 01:30:59 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
    2012-03-13 01:30:27 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
    .
    ==================== Find3M ====================
    .
    .
    ============= FINISH: 22:51:28.43 ===============
  4. pw2525

    pw2525 TS Rookie Topic Starter

    attach log

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/9/2004 8:46:58 AM
    System Uptime: 3/12/2012 9:26:01 PM (1 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0K8980
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 30.67 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP278: 3/12/2012 8:55:21 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    HP Image Zone Express
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Java(TM) 6 Update 12
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    RealPlayer Basic
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    SoundMAX
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Webroot Software
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/12/2012 9:46:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    3/12/2012 9:28:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm
    3/12/2012 9:27:23 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/12/2012 10:11:43 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
    3/12/2012 10:07:58 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    .
    ==== End Of File ===========================
  5. pw2525

    pw2525 TS Rookie Topic Starter

    I found the first malware log here it is,

    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.12.07

    Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 8.0.6001.18702
    Administrator :: PATRICIA-A688A9 [administrator]

    3/12/2012 9:54:17 PM
    mbam-log-2012-03-12 (21-54-17).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 266206
    Time elapsed: 7 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 1
    C:\Documents and Settings\All Users\Start Menu\Programs\SpyEraser (Rogue.SpyEraser) -> Quarantined and deleted successfully.

    Files Detected: 3
    C:\Documents and Settings\All Users\Desktop\SpyEraser.lnk (Rogue.SpyEraser) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SpyEraser\SpyEraser Help.lnk (Rogue.SpyEraser) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Start Menu\Programs\SpyEraser\SpyEraser.lnk (Rogue.SpyEraser) -> Quarantined and deleted successfully.

    (end)
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I will be changing your thread subject to something more appropriate to the problem.

    The malware removed in Mbam is SpyEraser

    Spy Eraser is a rogue anti-spyware program from the Rogue.VirusDoctor
    • It is promoted through web sites that show advertisements that pretend to be online anti-malware scanners.
    • These scanners create numerous files that will be detected by the program as malware (See deletions in Combofix)
    • The scam is that you are told you have to pay for their program to remove these "threats" when in fact there are fake security warnings that should be ignored
    • This infection changes your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or
      update security software.
    • Regardless of the web browser you use, we need to fix the proxy so that we can download the utilities we need to remove this infection.

    Note: You may not be affected noticeably by everything listed
    ==========================
    1. Boot into Safe Mode with Networking
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.
    2. Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "LAN Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click OK to close the Local Area Network (LAN) Settings window.
      o Click OK to close the Internet Options window.
    3. To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKill as the malware programs will start again.
    ====================================
    4. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    ===============================
    5. Replace Hosts files and Permissions
    The malware also changes your Windows HOSTS file. We will need to replace the default version for your operating system. (Note:if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file.)

    The malware, in order to protect itself,may change the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

    Step 1: Restoring Permissions
    • Please download Hostsperm.bat and save it to your desktop.
    • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
    • Once it starts you will see a small black window that opens, then goes away. This is normal.
    You should now be able to access your HOSTS file.

    Step 2: Show Hidden Files and Folders:
    • Click on the Start button and select Computer
    • Select Folder Options> View tab
    • Check Show hidden files and folders
    • uncheckHide protected operating system files(Recommended)> Confirm Yes
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK

    Step 3: Delete the hosts file
    • Using Windows Explorer> navigate to Computer> Local Drive> Windows> System 32> Drivers
    • Navigate to C:\Windows\System32\drivers\etc and do a right click> Delete and delete the hosts file.
    • Once it is deleted, go to next Step.

    Step 4: Replacing the Hosts file for your operating system:
    Note: If the contents of the HOSTS file opens in your browser when you click on a link, then right-click on the ink and select Save Target As for in Internet Explorer, or Save Link As if in Firefox, to download the file.
    -------------------------
    Now reboot your computer into Normal Mode.
    ==============================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ==============================================
    I will check the Combofix log for any additional removals.
    =============================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  7. pw2525

    pw2525 TS Rookie Topic Starter

    LOL I was thinking I deleted my own post. Thank you for your help I am working on your steps right now.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    That's why I added "Renamed." As long as you're subscribed to the thread, you will get the email feedback notice even if I rename it to "Joe's Smokehouse"! :)

    When I'm working on the thread, I can look at the top of my browser and see the thread subject. It's a helpful reminder of the problem when I'm working on so many threads at the same time. It helps me to know it's the Rogue Spy Eraser rather than 'I left 5 logs'!

    I'm clsing for the night, so I'll review the logs whenever you're ready.
  9. pw2525

    pw2525 TS Rookie Topic Starter

    The combofix just stays at the blue screen it says scanning normaly takes 10min but may double. well it's been like that since I replied yesterday. I did the steps prior should Iskip this or just leave it like it is?
  10. pw2525

    pw2525 TS Rookie Topic Starter

    Well combofix finished here is that log and rkill

    rkill log
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 03/13/2012 at 21:27:01.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 03/13/2012 at 21:27:05.

    combofix log

    ComboFix 12-03-13.01 - Owner 03/14/2012 21:57:33.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.128 [GMT -4:00]
    Running from: c:\documents and settings\Owner.PATRICIA-A688A9\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\Local Settings\Temp\lptmp8493\lp_dbghelp.dll
    C:\drvrtmp
    c:\windows\system32\dllcache\dlimport.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-15 to 2012-03-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-13 11:24 . 2012-03-13 11:24 -------- d-----w- c:\documents and settings\Owner.PATRICIA-A688A9\Application Data\Malwarebytes
    2012-03-13 03:04 . 2012-03-13 03:04 6278328 ----a-w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\wruninstall.exe
    2012-03-13 01:49 . 2012-03-13 01:49 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2012-03-13 01:49 . 2012-03-13 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-03-13 01:49 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-03-13 01:26 . 2012-03-13 01:30 -------- d-----w- c:\documents and settings\Administrator
    2012-03-12 12:37 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
    2012-03-12 12:37 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-13 11:07 . 2011-08-01 14:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53 . 2004-08-04 12:00 1859968 ----a-w- c:\windows\system32\win32k.sys
    2011-12-17 19:46 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-12-17 19:46 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-12-17 19:46 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-12-16 12:22 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2009-07-04 26112]
    .
    c:\documents and settings\LocalService.NT AUTHORITY\Start Menu\Programs\Startup\
    Uninstall Webroot RunOnce.lnk - c:\documents and settings\LocalService.NT AUTHORITY\Application Data\wruninstall.exe [2012-3-12 6278328]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "67:UDP"= 67:UDP:DHCP Discovery Service
    .
    S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192cu.sys [4/4/2011 12:48 PM 907624]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/?ilc=1
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    HKCU-Run-Uniblue SpyEraser - c:\program files\Uniblue\SpyEraser\SpyEraser.exe
    HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    HKCU-Run-Desktop Software - c:\program files\Common Files\SupportSoft\bin\bcont.exe
    MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-14 22:08
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2012-03-14 22:12:27
    ComboFix-quarantined-files.txt 2012-03-15 02:12
    .
    Pre-Run: 32,435,052,544 bytes free
    Post-Run: 32,660,246,528 bytes free
    .
    - - End Of File - - 703CC16B32584A9903C87AEA42DF02DE
  11. pw2525

    pw2525 TS Rookie Topic Starter

    Forgot the most important thing, thank you :)
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You welcome! The Combofix log looks clean. Le's run an online virus scan:

    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =====================================
    The main problems when you began were 'slow' and can't run in Normal Mode. But it appears that Combofix did run in Normal Mode, albeit slowly.

    Do you notice any difference in the system?
  13. pw2525

    pw2525 TS Rookie Topic Starter

    The scan wont run it say downloading then says cant get update is proxy configured?

    At times it seems ok it moves now lol, but sometimes it has a big lag in response.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you do this in my Reply #6? >> 2. Reset your browser proxies
    If you did not, please do so. Reboot, then try the Eset scan again.

    If Eset still won't run, try either of the following:

    Panda Free Active Scan

    Trend Micro Housecall for 32bit
  15. pw2525

    pw2525 TS Rookie Topic Starter

    I have been sick sorry for a late reply. Yes I did follow the reply 6 step, I am going to try the scan now again, thank you.
  16. pw2525

    pw2525 TS Rookie Topic Starter

    I was able to to the Eset scan it says no threats found.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'd like you to run one more scan:

    First, set up a Directory for HijackThis as follows:
    Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
    Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.