Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Outgoing internet requests, pop ups, and multiple trojans [Solved]

  • This topic is locked This topic is locked




  • Member
  • PipPip
  • 35 posts

I have an expired trial version of ESET Smart Security. The signatures aren't up to date, but the firewall and everything else still works.

A couple of days ago, ESET alerted me that an unknown exe was trying to access the internet. I denied it access, closed all my browser tabs, and went looking for it:

C:\documents and settings\ default\application data\ylanukmgh\bkkwhygtssd.exe

It had just been created within the last few minutes. I hadn't been intentionally downloading anything at the time.

A full system scan with ESET found no threats. I updated Pest Patrol the next day, and a full scan found no threats. Trend Micro Housecall found no threats. My computer wasn't doing anything suspicious, and I didn't receive any new firewall alerts, but the unknown exe was still there.

I used ESET's online scanner to do another full system scan, and it found several trojans and two "Spyware Protect" applications. It quarantined them.

I rebooted my computer, and got back on the internet. After a few minutes, a new window popped up for no reason, advertising "Betty Crocker Recipes" in my zip code. Nothing like this had happened up until then. A while later, another new window appeared saying I was being redirected to another site. The site I was redirected to had no content other than links to other sites. I used task manager to close out my browsing session on both occasions to prevent further infection.

I ran another ESET online scan overnight, and it found two more trojans.

I went to this forum, and a new window opened up for "Registry Defender 2010".

Following the steps in your malware guide, I ran TFC, ERUNT, and MBAM. MBAM found 10 infections in my registry and one other infected file. It needed a reboot to finish. I ran MBAM again, and it found no new threats. I did one more ESET online scan, and it found no new threats.

MBAM and GMER logs are pasted below.

I screwed up the order of running OTL. I ran it once before my last ESET scan and running GMER. I ran it again afterwards, but it didn't produce an "extras" log the second time. I've pasted the original two logs.

I haven't had any new pop ups since running MBAM, but I'd really like to make sure my system is clean now since I had so many infections that weren't doing anything to arouse my suspicion.

Thank you for your time!



I can't post the OTL logs. They are HUGE! If I try and paste everything at once, IE won't display the webpage. If I try and paste even one OTL log as an edit, I get a "loading" message from the forum forever. If I try and paste it as a reply, IE can't display the webpage after I submit the reply. I've been trying to do this for hours now.

I tried using Firefox, but it won't open because it says it's already running and not responding (this has never happened before, and still won't open after rebooting). I've gotten a notification about Windows Genuine the last few times I've tried to reboot. I've never gotten a notification about this before.



Malwarebytes' Anti-Malware 1.46

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/24/2010 6:25:52 PM
mbam-log-2010-06-24 (18-25-52).txt

Scan type: Quick scan
Objects scanned: 121035
Time elapsed: 16 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\default\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.



GMER - http://www.gmer.net
Rootkit scan 2010-06-25 01:50:15
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\default\LOCALS~1\Temp\kxdcrkow.sys

---- System - GMER 1.0.15 ----

SSDT 8281B8A0 ZwAssignProcessToJobObject
SSDT 8281ACB0 ZwOpenProcess
SSDT 8281B0D0 ZwOpenThread
SSDT 8281B6D0 ZwSuspendProcess
SSDT 8281B4F0 ZwSuspendThread
SSDT 8281AEE0 ZwTerminateProcess
SSDT 8281B310 ZwTerminateThread

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[344] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[344] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[620] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00]
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1200] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00EB000A
.text C:\WINDOWS\System32\svchost.exe[1200] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EE000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82EF1EC5

---- Threads - GMER 1.0.15 ----

Thread System [4:396] 82819930

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Levan, 25 June 2010 - 03:27 AM.

  • 0




    Trusted Helper

  • Malware Removal
  • 3,086 posts

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi ali,

Thanks for the quick response!

While reading your post, I got my first pop up since MBAM, this time it was loading a geeks to go url followed by a random string of characters.

Combofix did not prompt me to install the recovery console, so I guess I already have it.

After starting Combofix, it detected a rootkit and needed to reboot. Afterwards, my taskbar and desktop icons didn't come up, but the Windows Genuine prompt showed up before Combofix reappeared. The scan was completed and the log is below.

I don't know if it's relevant, but getting back on the internet, IE is no longer my default browser

_ _ _ _ _

ComboFix 10-06-24.03 - default 06/25/2010 6:44.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.237 [GMT -4:00]
Running from: c:\documents and settings\default\Desktop\PC Tools\tools from geeks to go\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FW: ZoneAlarm Pro Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Resident AV is active


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


Infected copy of c:\windows\system32\drivers\dmio.sys was found and disinfected
Restored copy from - Kitty had a snack :)
((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))

2010-06-25 07:02 . 2010-06-25 07:02 -------- d-----w- c:\windows\system32\KB905474
2010-06-25 00:03 . 2010-06-25 00:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-24 21:51 . 2010-06-24 21:51 -------- d-----w- c:\program files\ERUNT
2010-06-24 21:40 . 2010-06-24 21:40 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-22 05:21 . 2010-06-22 05:21 -------- d-----w- c:\documents and settings\default\Application Data\ylanukmgh
2010-06-03 06:08 . 2010-06-03 06:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Matrox

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2010-06-25 01:54 . 2009-09-06 13:49 1316 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-24 05:25 . 2007-04-03 00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-25 22:02 . 2010-05-25 22:02 503808 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcp71.dll
2010-05-25 22:02 . 2010-05-25 22:02 499712 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\jmc.dll
2010-05-25 22:02 . 2010-05-25 22:02 348160 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d509401-n\msvcr71.dll
2010-05-25 22:02 . 2010-05-25 22:02 61440 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-sse.dll
2010-05-25 22:02 . 2010-05-25 22:02 12800 ----a-w- c:\documents and settings\default\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3275dc46-n\decora-d3d.dll
2010-05-19 04:44 . 2010-05-19 04:44 1 ----a-w- c:\documents and settings\default\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-19 04:44 . 2010-05-19 04:44 -------- d-----w- c:\documents and settings\default\Application Data\OpenOffice.org
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\JRE
2010-05-19 04:40 . 2010-05-19 04:40 -------- d-----w- c:\program files\OpenOffice.org 3
2010-05-19 04:38 . 2009-08-13 17:50 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-29 19:39 . 2009-07-02 07:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2009-07-02 07:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2003-11-07 04:11 . 2001-01-30 15:20 1439 ----a-w- c:\program files\GUIDE PLUS+™ System (2).lnk
2003-11-07 04:11 . 2001-01-21 04:30 1439 ----a-w- c:\program files\GUIDE PLUS+™ System.lnk
2003-11-07 04:11 . 1980-01-01 04:00 820 ----a-w- c:\program files\Dell Accessories.lnk
2001-01-28 21:58 . 2001-01-28 21:58 516 ----a-w- c:\program files\Acrobat Reader 4.0.lnk
2001-01-21 04:14 . 1980-01-01 04:00 23357 ---h--w- c:\program files\FOLDER.HTT
2001-01-08 19:46 . 2001-01-08 19:46 594 ----a-w- c:\program files\Launch DellNet by MSN.lnk
2001-01-08 19:43 . 2001-01-08 19:43 444 ----a-w- c:\program files\Send and Receive a Fax.lnk
2001-01-08 19:43 . 2001-01-08 19:43 388 ----a-w- c:\program files\PhoneTools.lnk
1998-12-09 06:53 . 1998-12-09 06:53 99840 ------w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 06:53 . 1998-12-09 06:53 70144 ------w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 48640 ------w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 31744 ------w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 06:53 . 1998-12-09 06:53 186368 ------w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 06:53 . 1998-12-09 06:53 17920 ------w- c:\program files\Common Files\IRASRIAL.DLL

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown

"PCTVOICE"="pctspk.exe" [2002-08-14 167936]
"Matrox Powerdesk"="c:\windows\System32\PDesk\PDesk.exe" [2001-09-21 622592]
"MpsOnn"="c:\windows\System32\spool\DRIVERS\W32X86\3\MpsOnn.exe" [2003-06-09 22528]
"Matrox PowerDesk SE"="c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.PowerDesk SE.exe" [2009-02-06 4223232]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-07-13 169264]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-11-16 2054360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\D:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eDualHead Toolbar.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\eDualHead Toolbar.lnk
backup=c:\windows\pss\eDualHead Toolbar.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^IMsecure.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\IMsecure.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^default^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\default\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
2003-07-25 15:15 536576 ----a-w- c:\program files\Eraser\eraser.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2002-03-19 12:53 29184 ----a-w- c:\progra~1\ScanSoft\PAPERP~1\Pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]
2006-07-26 19:59 1684480 ----a-w- c:\program files\PCPitstop\Optimize\PCPOptimize.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PestPatrol Control Center]
2004-11-15 15:49 98304 ----a-w- c:\progra~1\PESTPA~1\PPControl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PPMemCheck]
2003-04-19 11:53 148480 ----a-w- c:\progra~1\PESTPA~1\PPMemCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-07-10 02:57 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2007-01-28 07:55 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 13:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-06-18 04:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 19:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2004-07-10 03:57 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 21:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

"AIM"=c:\program files\AIM95\aim.exe -cnetwait.odl
"ATI Scheduler"=c:\program files\ATI MULTIMEDIA\MAIN\ATISched.EXE
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe"
"MSMSGS"="c:\program files\MESSENGER\MSMSGS.EXE" /background
"ATI Launchpad"="c:\program files\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
"Mozilla Quick Launch"="c:\program files\Netscape\Netscp.exe" -aim

"Adaptec DirectCD"=c:\progra~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"ATIPTA"=c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HPID Scheduler"=c:\program files\Hewlett-Packard\HP Instant Delivery\hpidschd.exe
"LTWinModem1"=ltmsg.exe 9
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
"PestPatrol Control Center"=c:\program files\PestPatrol\PPControl.exe
"WinampAgent"="c:\program files\WINAMP\WINAMPa.exe"
"PCHealth"=c:\windows\PCHealth\Support\PCHSchd.exe -s
"RxMon"=c:\program files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
"madexe"=c:\program files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
"Share-to-Web Namespace Daemon"=c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"MMTray"=c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

"MotiveMonitor"=c:\program files\Motive\motmon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" /r
"hpppta"=c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe /ICON
"Logitech Utility"=LOGI_MWX.EXE

"LoadBlackD"=c:\program files\Network ICE\BlackICE\blackd.exe
"Machine Debug Manager"=c:\windows\SYSTEM32\MDM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"EnableFirewall"= 0 (0x0)

"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM95\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 pavboot;pavboot;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/12/2008 9:18 PM 28544]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [11/16/2009 9:03 AM 108792]
R2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\SYSTEM32\DRIVERS\AliEhci.sys [11/8/2003 8:41 PM 104088]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [11/16/2009 9:04 AM 735960]
R2 Matrox Centering Service;Matrox Centering Service;c:\program files\Matrox Graphics Inc\PowerDesk\Services\Matrox.PowerDesk.Services.exe [2/6/2009 2:09 PM 1263872]
R2 Matrox.Pdesk.ServicesHost;Matrox.Pdesk.ServicesHost;c:\program files\Matrox Graphics Inc\PowerDesk SE\Matrox.Pdesk.ServicesHost.exe [2/6/2009 2:08 PM 344832]
R3 aliroothub;USB 2.0 Root Hub;c:\windows\SYSTEM32\DRIVERS\AliRtHub.sys [11/8/2003 8:41 PM 5337]
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\lne100v5.sys [11/10/2003 2:17 PM 36224]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\SYSTEM32\DRIVERS\WlanUIG.sys [5/30/2005 10:21 PM 347648]
S3 G550DH;G550DH;c:\windows\SYSTEM32\DRIVERS\g550dhm.sys [9/28/2001 1:13 PM 324747]
S3 UtilNT;UtilNT;c:\windows\SYSTEM32\DRIVERS\UtilNt.sys [11/14/2003 10:43 PM 5533]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\program files\Outlook Express\setup50.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-06-25 02:18]
------- Supplementary Scan -------
uStart Page = hxxp://www.google.com/
mWindow Title = Microsoft Internet Explorer provided by Comcast
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: aol.com\free
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
FF - ProfilePath -
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-ATI Launchpad - c:\program files\ATI Multimedia\main\launchpd.exe
MSConfigStartUp-ATI Remote Control - c:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
MSConfigStartUp-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MSConfigStartUp-SpyCop ScanCheck - c:\program files\Internet Explorer\setup.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-ymetray - c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
ActiveSetup-RNA - rundll rnasetup.dll
AddRemove-3DSexVilla-031.001 - c:\documents and settings\default\My Documents\psfonts\psfonts2\SV\thriXXX\3D SexVilla\Binaries\Uninstall-3DSexVilla-031.001.exe
AddRemove-Adobe After Effects v3.1 - c:\adobe\After Effects 3.1\DeIsL1.isu
AddRemove-Adobe PageMaker 6.5 - c:\pm65\DeIsL1.isu
AddRemove-Adobe Streamline 4.0 - c:\adobe\Streamline 4.0\DeIsL1.isu
AddRemove-mIRC - c:\program files\mIRC\mirc.exe
AddRemove-Office In Color - c:\program files\KMT Software


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-25 07:01
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82EF1EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf85faf28
\Driver\ACPI -> ACPI.sys @ 0xf856dcb8
\Driver\atapi -> atapi.sys @ 0xf84ff852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

--------------------- LOCKED REGISTRY KEYS ---------------------

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)

- - - - - - - > 'lsass.exe'(908)
Completion time: 2010-06-25 07:08:57
ComboFix-quarantined-files.txt 2010-06-25 11:08
ComboFix2.txt 2009-07-02 09:20

Pre-Run: 6,258,032,640 bytes free
Post-Run: 6,410,633,216 bytes free

- - End Of File - - DE21E5054C281F2C3C659FD4DDF77FC2
  • 0



    Trusted Helper

  • Malware Removal
  • 3,086 posts

Step 1

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Step 2

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Step 3

Please download JavaRa to your desktop and unzip it to it's own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.

    Posted Image

  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Things i would like to see in your reply:
  • Malwarebytes Results.
  • Kaspersky WebScanner Report
  • Update on how your computer is running

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi ali,

I already have MBAM, and I just updated it now. Should I download it again? Do I need to uninstall the original version first, or just overwrite it?

Edited by Levan, 26 June 2010 - 02:47 AM.

  • 0



    Trusted Helper

  • Malware Removal
  • 3,086 posts

you may just update it and run a new scan.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi ali,

I ran TFC (already had it installed from following the malware guide instructions before my original post). I updated and ran MBAM, and it found no infected files. I'll post the log in my next reply.

I updated JRE.

I'm having trouble with the kapersky scan. It wasn't updating its files to 100%, and kept restarting the update. I left it running overnight, and it was 100% updated, but my computer was locked up. I was unable to restart via the start menu or the reset button, and had to unplug the computer. This happened last night as well.

I've finally got the scan running, but it's running very, very slowly. It's been over two hours, and it's at 1%. I do have a ton of files, but a complete online scan with ESET took about three hours to finish. There are no other open applications, my ESET firewall is on, but the real time antivirus is disabled.

Task manager shows my CPU usage between 90 and 100%. With no open applications, it's usually around 10%. Dell pentium 3 930 MHz, 512 MB RAM. XP Pro service pack 3. IE 8.

I'll keep the scan running overnight, but my internet connection often drops after a few hours, so I may not be able to finish the scan.

I'm still getting redirects opening in new windows, and prompts for Windows Genuine Advantage every time I reboot.


I don't know if I'll be able to get Kaspersky to work. My internet connection dropped (wireless to Uverse modem), and I was unable to reestablish a connection (or do anything else) because Kaspersky is maxing out my CPU to 100%. The System Information on the online scanner says I meet all the requirements, but I think the application might be more than my computer can handle.

I'll try again and keep it running until I hear back from you.

Edited by Levan, 26 June 2010 - 09:02 PM.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Malwarebytes' Anti-Malware 1.46

Database version: 4242

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/26/2010 5:04:08 AM
mbam-log-2010-06-26 (05-04-08).txt

Scan type: Quick scan
Objects scanned: 128291
Time elapsed: 16 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0



    Trusted Helper

  • Malware Removal
  • 3,086 posts

if you are having such difficulties with kaspersky you may drop it and run a scan with your own antivirus.

are you getting redirect when using google/bing/yahoo ?
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi ali,

The ESET installed on my machine isn't up to date, and has not found anything. Neither has Pest Patrol or Trend Micro Housecall.

I ran ESET online twice after that.. First, it found like 10 infected items and quarantined them. Second, it found two and quarantined them.

I then ran TFC, and MBAM twice after that. First it found like 10 infected items. Second, it found none.

I ran a third ESET online scan after MBAM, and it found no infections.

Afterwards, Combofix detected a rootkit.

Since then, I ran TFC again, updated MBAM, ran MBAM again, and it found nothing.

Kapersky has been running for four hours, and is at 1% progress. I can run another ESET online scan, but the last one found no threats.

Google is my home page for IE and Firefox. I can't open Firefox. I get a message saying it is already running, but not responding (even after rebooting). In IE, I've only been to geeks to go and the recommended download sites since starting this post.

Typically, the browser redirect only happens the first time I open IE. I open my browser to google, then paste in the url for geeks to go. I wait a few minutes before doing anything. The new window / redirect opens after a few, and I use task manager to close it out. I open IE again, paste in the GTG url, and I don't have any new window / redirects after that.

My wireless card dropping the internet isn't a new issue (I'm in the basement and the router is upstairs), but it makes it hard to keep an online scan going for more than a few hours.

I may have been infected with various things that my onboard malware tools have missed for a while now. The unknown exe trying to access the internet is new (although that has stopped since my first online scan quarantined it). The redirects are new. Firefox not opening is new. Prompts for Windows Genuine Advantage are new.

It's possible that my wireless network has been compromised, but I haven't had any problems on the computer I'm posting from now (did TFC, MBAM, ESET online... seems clean and isn't acting up).

I will run another ESET online scan on the infected computer, but since the last scan found nothing, I don't know if a fourth scan will produce any results.

Any suggestions on how to proceed would be very appreciated.


Checked Kaspersky. five hours in, it's at 2%, but it says it's found 1 infected file. guess I'll keep it running for now.

Edit 2:

My firewall alerted me that some kind of malware removal tool was trying to access the internet. Since Kaspersky doesn't offer removal, I denied it. Then, windows update popped up and asked me if I wanted to reboot my computer to install the updates.

Automatic Updates: "Updating your computer is almost complete. Your computer needs to be restarted for the updates to take effect. Windows will restart your computer automatically in 14 minutes. Do you want to restart your computer now?"

I have always had auto update turned off, so either the malware or the malware removal tools must have reset this. Maybe this explains the prompts for Windows Genuine Advantage.

The update dialog box popped up twice before I changed my control panel preferences back to disable auto update.

Edited by Levan, 27 June 2010 - 02:05 AM.

  • 0




    Trusted Helper

  • Malware Removal
  • 3,086 posts

isn't your copy of windows genuine ? :)
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi ali,

It took 16 hours, but Kapersky finally finished!

Log below:

Sunday, June 27, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version:
Last database update: Saturday, June 26, 2010 21:17:03
Records in database: 4290325

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:

Scan statistics:
Objects scanned: 173319
Threats found: 3
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 16:45:47

File name / Threat / Threats count
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\dmio.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{9BCFB3C7-53A7-4233-A42A-CA6F19ACDCAC}\RP330\A0048115.sys Infected: Rootkit.Win32.TDSS.ap 1
V:\C drive Move\Install Files\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

Selected area has been scanned.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts

I'm still getting new windows / redirects. This time it led me to a site trying to scan my computer for spyware...

"isn't your copy of windows genuine ?"

Yes, my copy of windows should be legit. I don't remember what retailer I got it from, but it was from a place like Best Buy or Office Depot. I'm not getting a notice that says it isn't legit. I'm getting an installation wizard popping up when I reboot. Sorry I wasn't clear about that, but I'd never heard of Windows Genuine Advantage before. After googling it, I understand that once it's installed, it will notify you on every reboot if your copy isn't legitimate. As of right now, it just wants me to install the program.

So maybe it isn't a problem, but the timing is suspect. I'd never seen this installation wizard before I started trying to clean my machine. Also, windows update has never automatically installed updates before. Whatever it loaded last night is going to install itself on my next reboot.

Isn't it a bad idea to update windows on an infected machine? Is there a way to stop the installation from happening on my next reboot?

any thoughts on what might be going on with my machine so far? (the original unknown exe trying to get past my firewall, browser redirects, firefox not running, windows updating automatically, genuine advantage install wizard popping up for the first time ever, all these infected files found so far...)

Edited by Levan, 27 June 2010 - 08:27 PM.

  • 0



    Trusted Helper

  • Malware Removal
  • 3,086 posts

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan bot paste this in

    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

  • 0




  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Ran OTL. New OTL.txt pasted below. OTL has been run 3 times throughout the cleaning process, and does not create a new extras file.

I created a new profile for Firefox, which got it running again. New profile may show up in files modified within last 30 days.


Can't paste OTL log. Will attach OTL 3 along with original extras log.

Edited by Levan, 28 June 2010 - 03:41 AM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP