|
|
#1
22nd Oct 2009, 09:57
|
|||
|
|||
|
This is the story: About 3-4 mos ago all my Yahoo email contacts received some ad email, signed by me. Needless to say, I never sent the ad (about a Google product), nor was it in the Sent Box. In ~3wks it happened again, although the ad was different. Last week a subfolder of My Documents folder disappeared. It was found by File Recover, yet no actual recovery was done because of a defect in the program (I am email corresponding with its vendor, PC Tools). A day later File Recover disappeared without a trace (almost – the only evidence of its presence was a lonely Registry empty folder named “Recovered Files”. A nice tiny program warning of bad websites called Web of Trust (WOT) disappeared twice already, in the space of three days. At least this one is easy to reinstall: it’s a freebie. About a week ago both my CDRW and DVDRW drives stopped functioning: neither can “see” an inserted disc and says something like “Incorrect function. Please insert disc”. In Device Manager near the bottom there is something called “M$ Kernel DLS Synthesizer”. Microsoft website informed me that it is part of Dmusic, whatever it is. The rest of its short description is too technical for me and is, actually, worthless. I want to fix it as I suspect it is related to malfunctioning drives. Updating Kernel’s driver did not change anything. I found a few websites that offered to download Kernel SW, and uninstall it. Yet, when I went back to those websites and got to secondary Download Now pages, my WOT darkened the pages and warn me: Dangerous Site; Very Bad Reputation! So, I ran System Restore and now have dysfunctional Kernel back.
I don't think that Kernel DLS breakdown is directly related to the rest of my trouble; but since it occured at the same time, who knows? I appreciate any help. ). |
|
#2
22nd Oct 2009, 10:14
|
|||
|
|||
|
If you think this is a malware issue please follow the instructions in this thread and post the logs.
__________________
 |
|
#3
22nd Oct 2009, 10:57
|
|||
|
|||
|
I have SAS, Malware bytes, HJT. What’s Antimalware? A generic term or a particular program? If so, which one? Google brings zillion pages. I’d appreciate your advice.
Please, note: I’ve been working in this computer since 2003 with only insignificant problems, so I know very little about Malware and its removal. Please keep in mind that I am not a pro: I think it could be a Malware, a Trojan or something, but your diagnosis is more precise. |
|
#4
22nd Oct 2009, 10:58
|
|||
|
|||
|
Malwarebytes Antimalware.
__________________
|
|
#5
22nd Oct 2009, 11:14
|
|||
|
|||
|
I attached logfiles to my last post (some are Notepad pages, some are Screenshots, as not every program provides a Notepad logfile. But they are nowhere in sight...
|
|
#6
22nd Oct 2009, 11:20
|
|||
|
|||
|
Just copy and paste them directly into the reply.
__________________
|
|
#7
22nd Oct 2009, 11:35
|
|||
|
|||
|
Logfile created: 10/18/2009 10:27:13
Lavasoft Ad-Aware version: 8.0.8 Extended engine version: 8.1 User performing scan: Yury *********************** Definitions database information *********************** Lavasoft definition file: 149.73 Extended engine definition file: 8.1 ******************************** Scan results: ********************************* Scan profile name: Default Profile (ID: defaultprofile) Objects scanned: 70365 Objects detected: 65 Type Detected ========================== Processes.......: 0 Registry entries: 0 Hostfile entries: 0 Files...........: 1 Folders.........: 0 LSPs............: 0 Cookies.........: 64 Browser hijacks.: 0 MRU objects.....: 0 Removed items: Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0 Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0 Description: *live365* Family Name: Cookies Clean status: Success Item ID: 408844 Family ID: 0 Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0 Description: *ad.yieldmanager* Family Name: Cookies Clean status: Success Item ID: 409172 Family ID: 0 Description: *hitbox* Family Name: Cookies Clean status: Success Item ID: 408858 Family ID: 0 Description: *.hitbox* Family Name: Cookies Clean status: Success Item ID: 409072 Family ID: 0 Description: *specificclick* Family Name: Cookies Clean status: Success Item ID: 408807 Family ID: 0 Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0 Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0 Description: *pointroll* Family Name: Cookies Clean status: Success Item ID: 408826 Family ID: 0 Description: *ads.pointroll* Family Name: Cookies Clean status: Success Item ID: 408927 Family ID: 0 Description: *adserv* Family Name: Cookies Clean status: Success Item ID: 408921 Family ID: 0 Description: *traffic.buyservices* Family Name: Cookies Clean status: Success Item ID: 409120 Family ID: 0 Description: www.buy* Family Name: Cookies Clean status: Success Item ID: 409113 Family ID: 0 Description: *2o7* Family Name: Cookies Clean status: Success Item ID: 408943 Family ID: 0 Description: *estat* Family Name: Cookies Clean status: Success Item ID: 408873 Family ID: 0 Description: *webtrends* Family Name: Cookies Clean status: Success Item ID: 599640 Family ID: 0 Description: *clickbank* Family Name: Cookies Clean status: Success Item ID: 408890 Family ID: 0 Description: *apmebf* Family Name: Cookies Clean status: Success Item ID: 409163 Family ID: 0 Description: *mediaplex* Family Name: Cookies Clean status: Success Item ID: 408991 Family ID: 0 Description: *trafficmp* Family Name: Cookies Clean status: Success Item ID: 408787 Family ID: 0 Description: *doubleclick* Family Name: Cookies Clean status: Success Item ID: 408875 Family ID: 0 Description: *atdmt* Family Name: Cookies Clean status: Success Item ID: 408910 Family ID: 0 Description: *fastclick* Family Name: Cookies Clean status: Success Item ID: 408869 Family ID: 0 Description: *questionmarket* Family Name: Cookies Clean status: Success Item ID: 408819 Family ID: 0 Description: *tacoda* Family Name: Cookies Clean status: Success Item ID: 409123 Family ID: 0 Description: *.bridgetrack* Family Name: Cookies Clean status: Success Item ID: 409095 Family ID: 0 Description: *statcounter* Family Name: Cookies Clean status: Success Item ID: 409185 Family ID: 0 Description: *rambler* Family Name: Cookies Clean status: Success Item ID: 408818 Family ID: 0 Description: *kontera* Family Name: Cookies Clean status: Success Item ID: 409363 Family ID: 0 Description: *.zedo* Family Name: Cookies Clean status: Success Item ID: 409030 Family ID: 0 Description: *real* Family Name: Cookies Clean status: Success Item ID: 408817 Family ID: 0 Description: *247realmedia* Family Name: Cookies Clean status: Success Item ID: 408945 Family ID: 0 Description: *realmedia* Family Name: Cookies Clean status: Success Item ID: 409139 Family ID: 0 Description: *adserve* Family Name: Cookies Clean status: Success Item ID: 409020 Family ID: 0 Description: *unicast* Family Name: Cookies Clean status: Success Item ID: 409281 Family ID: 0 Description: *casalemedia* Family Name: Cookies Clean status: Success Item ID: 409152 Family ID: 0 Description: *adbrite* Family Name: Cookies Clean status: Success Item ID: 409218 Family ID: 0 Description: *tribalfusion* Family Name: Cookies Clean status: Success Item ID: 408785 Family ID: 0 Description: *insightexpressai* Family Name: Cookies Clean status: Success Item ID: 409259 Family ID: 0 Description: *bs.serving-sys* Family Name: Cookies Clean status: Success Item ID: 408902 Family ID: 0 Description: *serving-sys* Family Name: Cookies Clean status: Success Item ID: 409130 Family ID: 0 Description: *coremetrics* Family Name: Cookies Clean status: Success Item ID: 409008 Family ID: 0 Description: *data.coremetrics* Family Name: Cookies Clean status: Success Item ID: 409220 Family ID: 0 Description: *adbureau* Family Name: Cookies Clean status: Success Item ID: 409027 Family ID: 0 Description: *bizrate.co* Family Name: Cookies Clean status: Success Item ID: 409154 Family ID: 0 Description: *omniture* Family Name: Cookies Clean status: Success Item ID: 408835 Family ID: 0 Description: *.stats.esomniture* Family Name: Cookies Clean status: Success Item ID: 409181 Family ID: 0 Description: *overture* Family Name: Cookies Clean status: Success Item ID: 408834 Family ID: 0 Description: *overstock* Family Name: Cookies Clean status: Success Item ID: 409142 Family ID: 0 Description: stat.dealtime* Family Name: Cookies Clean status: Success Item ID: 409126 Family ID: 0 Description: *dealtime* Family Name: Cookies Clean status: Success Item ID: 409235 Family ID: 0 Description: www.new* Family Name: Cookies Clean status: Success Item ID: 409109 Family ID: 0 Description: *adserver* Family Name: Cookies Clean status: Success Item ID: 408737 Family ID: 0 Description: *adtech* Family Name: Cookies Clean status: Success Item ID: 409018 Family ID: 0 Description: *adfarm1.adition* Family Name: Cookies Clean status: Success Item ID: 409171 Family ID: 0 Description: *statse.webtrends* Family Name: Cookies Clean status: Success Item ID: 408803 Family ID: 0 Description: *webtrendslive* Family Name: Cookies Clean status: Success Item ID: 408954 Family ID: 0 Description: *.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409033 Family ID: 0 Description: *statse.webtrendslive* Family Name: Cookies Clean status: Success Item ID: 409269 Family ID: 0 Description: *betanews* Family Name: Cookies Clean status: Success Item ID: 409366 Family ID: 0 Description: *advertis* Family Name: Cookies Clean status: Success Item ID: 408918 Family ID: 0 Description: *advertising* Family Name: Cookies Clean status: Success Item ID: 409017 Family ID: 0 Quarantined items: Description: C:\System Volume Information\_restore{623B90B6-EE30-41CA-AAF4-AB3240FFA45D}\RP2\A0000003.exe Family Name: Win32.Adware.Dap Clean status: Success Item ID: 1386166 Family ID: 5458 Scan and cleaning complete: Finished correctly after 1448 seconds *********************************** Settings *********************************** Scan profile: ID: defaultprofile, enabled:1, value: Default Profile ID: scancriticalareas, enabled:1, value: true ID: scanrunningapps, enabled:1, value: true ID: scanregistry, enabled:1, value: true ID: scanlsp, enabled:1, value: true ID: scanads, enabled:1, value: true ID: scanhostsfile, enabled:1, value: true ID: scanmru, enabled:1, value: true ID: scanbrowserhijacks, enabled:1, value: true ID: scantrackingcookies, enabled:1, value: true ID: closebrowsers, enabled:1, value: false ID: folderstoscan, enabled:1, value: C:\ ID: usespywareheuristics, enabled:1, value: true ID: extendedengine, enabled:0, value: false ID: useheuristics, enabled:0, value: false ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict ID: filescanningoptions, enabled:1 ID: archives, enabled:1, value: true ID: onlyexecutables, enabled:1, value: false ID: skiplargerthan, enabled:1, value: 20480 ID: scanrootkits, enabled:1, value: true Scan global: ID: global, enabled:1 ID: addtocontextmenu, enabled:1, value: true ID: playsoundoninfection, enabled:1, value: false ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav Scheduled scan settings: <Empty> Update settings: ID: updates, enabled:1 ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall ID: schedules, enabled:1, value: true ID: updatedaily, enabled:1, value: Daily ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009 ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: false ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: false ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false ID: updateweekly, enabled:1, value: Weekly ID: time, enabled:1, value: Wed Jan 28 10:29:00 2009 ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly ID: weekdays, enabled:1 ID: monday, enabled:1, value: true ID: tuesday, enabled:1, value: false ID: wednesday, enabled:1, value: true ID: thursday, enabled:1, value: false ID: friday, enabled:1, value: false ID: saturday, enabled:1, value: false ID: sunday, enabled:1, value: false ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31 ID: scanprofile, enabled:1, value: ID: auto_deal_with_infections, enabled:1, value: false Appearance settings: ID: appearance, enabled:1 ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource ID: showtrayicon, enabled:1, value: true ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language Realtime protection settings: ID: realtime, enabled:1 ID: processprotection, enabled:1, value: true ID: registryprotection, enabled:0, value: false ID: networkprotection, enabled:0, value: false ID: usespywareheuristics, enabled:0, value: false ID: extendedengine, enabled:0, value: false ID: useheuristics, enabled:0, value: false ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant ****************************** System information ****************************** Computer name: YUHRTW Processor name: Intel(R) Pentium(R) 4 CPU 2.40GHz Processor identifier: x86 Family 15 Model 2 Stepping 7 Raw info: processorarchitecture 0, processortype 586, processorlevel 15, processor revision 519, number of processors 1 Physical memory available: 463400960 bytes Physical memory total: 1072480256 bytes Virtual memory available: 1943105536 bytes Virtual memory total: 2147352576 bytes Memory load: 56% Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Windows startup mode: Running processes: PID: 624 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY PID: 692 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY PID: 716 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY PID: 760 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY PID: 772 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY PID: 928 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 996 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY PID: 1092 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 1220 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 1456 name: E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe owner: SYSTEM domain: NT AUTHORITY PID: 1556 name: E:\Program Files\Alwil Software\Avast4\ashServ.exe owner: SYSTEM domain: NT AUTHORITY PID: 1924 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY PID: 480 name: C:\WINDOWS\Explorer.EXE owner: Yury domain: YUHRTW PID: 496 name: C:\Program Files\Bonjour\mDNSResponder.exe owner: SYSTEM domain: NT AUTHORITY PID: 384 name: C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe owner: SYSTEM domain: NT AUTHORITY PID: 132 name: C:\Program Files\iolo\common\lib\ioloServiceManager.exe owner: SYSTEM domain: NT AUTHORITY PID: 1052 name: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe owner: Yury domain: YUHRTW PID: 1148 name: E:\Program Files\Process Lasso\processlasso.exe owner: Yury domain: YUHRTW PID: 1208 name: C:\Program Files\Logitech\MouseWare\system\em_exec.exe owner: Yury domain: YUHRTW PID: 1204 name: E:\Program Files\Process Lasso\processgovernor.exe owner: Yury domain: YUHRTW PID: 1300 name: C:\Program Files\Common Files\LightScribe\LSSrvc.exe owner: SYSTEM domain: NT AUTHORITY PID: 1304 name: E:\Program Files\NoAdware\NoAdware5.exe owner: Yury domain: YUHRTW PID: 1408 name: C:\WINDOWS\system32\pctspk.exe owner: SYSTEM domain: NT AUTHORITY PID: 1692 name: E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe owner: SYSTEM domain: NT AUTHORITY PID: 808 name: E:\Program Files\Alwil Software\Avast4\ashWebSv.exe owner: SYSTEM domain: NT AUTHORITY PID: 356 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY PID: 1248 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY PID: 3620 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY PID: 4016 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY PID: 1812 name: C:\WINDOWS\System32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY PID: 3716 name: E:\Program Files\Mozilla Firefox\firefox.exe owner: Yury domain: YUHRTW PID: 3824 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Yury domain: YUHRTW Startup items: Name: RunNarrator imagepath: Narrator.exe Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1} imagepath: Browseui preloader Name: {8C7461EF-2B13-11d2-BE35-3078302C2030} imagepath: Component Categories cache daemon Name: Logitech Utility imagepath: Logi_MwX.Exe Name: avast! imagepath: E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe Name: ProcessSupervisorGUI imagepath: E:\Program Files\Process Lasso\processlasso.exe Name: ProcessGovernor imagepath: E:\Program Files\Process Lasso\processgovernor.exe Name: Adobe Reader Speed Launcher imagepath: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" Name: PostBootReminder imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9} Name: CDBurn imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9} Name: WebCheck imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED} Name: SysTray imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153} Name: WPDShServiceObj imagepath: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} Name: imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini Name: imagepath: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\desktop.ini Bootexecute items: Name: imagepath: autocheck autochk * Name: imagepath: autocheck smrgdf C:\Documents and Settings\Yury\Application Data\iolo\ Name: imagepath: lsdelete Running services: Name: ALG displayname: Application Layer Gateway Service Name: aswUpdSv displayname: avast! iAVS4 Control Service Name: AudioSrv displayname: Windows Audio Name: avast! Antivirus displayname: avast! Antivirus Name: avast! Mail Scanner displayname: avast! Mail Scanner Name: avast! Web Scanner displayname: avast! Web Scanner Name: Bonjour Service displayname: Bonjour Service Name: CryptSvc displayname: CryptSvc Name: DcomLaunch displayname: DCOM Server Process Launcher Name: Dhcp displayname: DHCP Client Name: dmserver displayname: Logical Disk Manager Name: ERSvc displayname: Error Reporting Service Name: Eventlog displayname: Event Log Name: EventSystem displayname: COM+ Event System Name: gusvc displayname: Google Updater Service Name: helpsvc displayname: Help and Support Name: HidServ displayname: HID Input Service Name: ioloFileInfoList displayname: iolo FileInfoList Service Name: ioloSystemService displayname: iolo System Service Name: lanmanworkstation displayname: Workstation Name: Lavasoft Ad-Aware Service displayname: Lavasoft Ad-Aware Service Name: LightScribeService displayname: LightScribeService Direct Disc Labeling Service Name: LmHosts displayname: TCP/IP NetBIOS Helper Name: Netman displayname: Network Connections Name: Nla displayname: Network Location Awareness (NLA) Name: NWCWorkstation displayname: Client Service for NetWare Name: Pctspk displayname: PCTEL Speaker Phone Name: PlugPlay displayname: Plug and Play Name: ProtectedStorage displayname: Protected Storage Name: RasMan displayname: Remote Access Connection Manager Name: RpcSs displayname: Remote Procedure Call (RPC) Name: SamSs displayname: Security Accounts Manager Name: Schedule displayname: Task Scheduler Name: seclogon displayname: Secondary Logon Name: SENS displayname: System Event Notification Name: SharedAccess displayname: Windows Firewall/Internet Connection Sharing (ICS) Name: ShellHWDetection displayname: Shell Hardware Detection Name: Spooler displayname: Print Spooler Name: srservice displayname: System Restore Service Name: SSDPSRV displayname: SSDP Discovery Service Name: stisvc displayname: Windows Image Acquisition (WIA) Name: TapiSrv displayname: Telephony Name: Themes displayname: Themes Name: W32Time displayname: Windows Time Name: winmgmt displayname: Windows Management Instrumentation Name: wscsvc displayname: Security Center Name: WZCSVC displayname: Wireless Zero Configuration ------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:47:17 AM, on 10/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe E:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\iolo\common\lib\ioloServiceManager.exe E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe E:\Program Files\Process Lasso\processlasso.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe E:\Program Files\Process Lasso\processgovernor.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe E:\Program Files\NoAdware\NoAdware5.exe C:\WINDOWS\system32\pctspk.exe E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll O2 - BHO: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O3 - Toolbar: Babylon Plug In - {A057A204-BACC-4D26-9E83-2DB586E27190} - C:\PROGRA~1\BABYLO~1\BABYLO~1.DLL O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ProcessSupervisorGUI] E:\Program Files\Process Lasso\processlasso.exe O4 - HKLM\..\Run: [ProcessGovernor] E:\Program Files\Process Lasso\processgovernor.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [TClockEx] E:\TClockEx\TCLOCKEX.EXE O4 - HKCU\..\Run: [NoAdware5] "E:\Program Files\NoAdware\NoAdware5.exe" :Min: O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/Nirva.../PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6662.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1236737152390 O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {94E5218F-9737-4FC2-8457-567B1FF23DC0} (diskhealth Class) - http://utilities.pcpitstop.com/Nirva...iskMD3Ctrl.dll O16 - DPF: {A553720A-BFED-4EA4-A71F-7EFCA690A1F7} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Nirva...pAntiVirus.dll O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Nirva...pcpitstop2.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe -- End of file - 8972 bytes ------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 10/18/2009 10:11:50 AM mbam-log-2009-10-18 (10-11-50).txt Scan type: Quick Scan Objects scanned: 105989 Time elapsed: 4 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\DealAssistant (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ------------------------------------------------------------------------ SAS, AdAware and NoAdware do not have their logfiles in Notepad format; available only as Bitmap files readable by M$ Picture and Fax Viewer. |
|
#8
22nd Oct 2009, 17:26
|
|||
|
|||
|
I highly suggest uninstalling NoAdware. This is not a trusted tool. See here: http://www.mywot.com/en/scorecard/NoAdware.com
Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there)
Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 **Note: It is important that it is saved directly to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix
__________________
|
|
#9
22nd Oct 2009, 18:06
|
|||
|
|||
|
Thank you.
You last post is full of info, I'll follow your instructions tomorrow morning, as potential mistakes are easier to make now :-). Once, on somebody's advice, I ran Combofix. I understand that it must be a good program, but... I need somebody's help to analyze its results and one has to be very alert handling it. Night brings counsel. See you tomorrow. |
|
#10
22nd Oct 2009, 19:12
|
|||
|
|||
|
No problem.
If you already have ComboFix be sure to delete it and download a new copy. I will analyze the log and let you know if anything else needs to be done.
__________________
|
