Anti Virus Software & Internet protection

[Panther Rose 10]

Oh s**t, there is one object infected

[waddler8 10]

That's ok. Let it get to the end and post the log.

[Panther Rose 10]

Here you go:

 

Malwarebytes' Anti-Malware 1.50

http://www.malwarebytes.org

 

Database version: 5249

 

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

 

05/12/2010 20:32:03

mbam-log-2010-12-05 (20-32-03).txt

 

Scan type: Quick scan

Objects scanned: 143432

Time elapsed: 3 minute(s), 27 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

(No malicious items detected)

 

Registry Values Infected:

(No malicious items detected)

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

c:\Windows\System32\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[waddler8 10]

Good!

 

Hopefully were in the home straight!

 

Re-run the program DDS I had you run.

 

• Double click dds.scr to run the tool.
  
• When done, notepad should open. Please copy & paste the contents of:
   
   
  
  • DDS.txt

And post it in your next reply.

[waddler8 10]

 

Files Infected:

c:\Windows\System32\java.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

I believe that is actually a false positive & not an infected file - we'll restore it later. I'm getting the same detection.

[waddler8 10]

I believe that is actually a false positive & not an infected file - we'll restore it later. I'm getting the same detection.

 

Yes, I've just checked the Malwarebytes forum and others are reporting the same.

 

The log was clean.

[Panther Rose 10]

DDS (Ver_10-11-27.01) - NTFSx86

Run by Jacqueline at 20:52:25.87 on 05/12/2010

Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3326.2406 [GMT 0:00]

 

 

============== Running Processes ===============

 

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Essentials\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Security Essentials\msseces.exe

C:\Program Files\Alwil Software\Avast5\AvastUI.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Windows\system32\taskhost.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files\Olympus\DeviceDetector\DM1Service.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k iissvcs

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\Jacqueline\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

[Panther Rose 10]

Pseudo HJT Report ===============

 

uStart Page = hxxp://www.sky.com/

uInternet Settings,ProxyServer = http=127.0.0.1:25535

BHO: txthlpBHO Class: {060235dc-6d84-47bd-95d7-a4ef5099a59d} - c:\progra~1\texthe~1\readan~1\TE4470~1.DLL

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex

 

\AcroIEHelperShim.dll

BHO: ba3HelperObj Class: {a17b153f-2267-4161-a165-73dcd6c31bef} - c:\progra~1\texthe~1\readan~1\ba3bho.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier

 

\5.6.5805.1910\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking10\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking10\Ereg.ini

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector

 

\DirectrecConfig.exe

uPolicies-explorer: DisallowRun = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-

 

A67417AA88CD/LegitCheckControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {8C922C73-FFFA-45A3-B2C2-BC1E30074267} - hxxp://www.sony.co.uk/bravia/RegistrationAgent.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

IFEO: image file execution options - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

 

Note: multiple HOSTS entries found. Please refer to Attach.txt

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\users\jacque~1\appdata\roaming\mozilla\firefox\profiles\v0q39t8j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.sky.com/

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 25535

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-

 

ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-

 

ABCDEFFEDCBA}

FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-

 

3208198ce6fd}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

 

0021-ABCDEFFEDCBA}

FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-

 

0022-ABCDEFFEDCBA}

 

============= SERVICES / DRIVERS ===============

 

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-16 165584]

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-16 17744]

R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-7-16 50768]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-8 40384]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2010-10-2 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-7-19 47640]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-8 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-8 40384]

R3 rt61x86;Linksys Wireless-G PCI Adapter Driver;c:\windows\system32\drivers\WMP54Gv41x86.sys [2010-4-7 376160]

R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-3-1 139776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

 

[2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-19 136176]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-7-16 1343400]

 

=============== Created Last 30 ================

 

2010-12-05 10:06:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-05 10:06:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-05 09:56:04 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{c58d21c2-8f60-4249-894f-

 

8f9ad2480eb9}\mpengine.dll

2010-11-30 23:30:51 -------- d-----w- c:\users\jacque~1\appdata\roaming\Malwarebytes

2010-11-30 23:30:46 -------- d-----w- c:\progra~2\Malwarebytes

2010-11-30 23:30:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-24 07:35:09 7680 ----a-w- c:\program files\internet explorer\iecompat.dll

2010-11-21 22:16:57 -------- d-----w- C:\Temp

2010-11-21 22:12:38 -------- d-----w- c:\users\jacque~1\appdata\roaming\Philips-Songbird

2010-11-21 22:12:38 -------- d-----w- c:\users\jacque~1\appdata\local\Philips-Songbird

2010-11-21 22:12:00 -------- d-----w- c:\program files\Philips

2010-11-21 08:54:38 -------- d-----w- c:\users\jacque~1\appdata\local\Mozilla

2010-11-06 11:37:34 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

2010-11-06 08:46:52 -------- d-sh--w- c:\users\jacque~1\appdata\roaming\Smart Engine

2010-11-06 08:46:52 -------- d-sh--w- c:\progra~2\SMUSE

2010-11-06 08:46:31 -------- d-sh--w- c:\progra~2\56a4ff

 

==================== Find3M ====================

 

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-09-30 20:20:38 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2010-09-30 20:20:38 53632 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll

2010-09-30 20:20:38 29568 ----a-w- c:\windows\system32\LMIport.dll

2010-09-30 20:20:37 87424 ----a-w- c:\windows\system32\LMIinit.dll

2010-09-15 03:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-08 04:30:04 978432 ----a-w- c:\windows\system32\wininet.dll

2010-09-08 04:28:15 44544 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-08 03:22:31 386048 ----a-w- c:\windows\system32\html.iec

2010-09-08 02:48:16 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

 

============= FINISH: 20:52:46.08 ===============

[Panther Rose 10]

Yes, I've just checked the Malwarebytes forum and others are reporting the same.

 

The log was clean.

 

Glad to know this.

[Panther Rose 10]

What is the reason behind Firefox?

[waddler8 10]

What is the reason behind Firefox?

 

It's just an alternative to Internet Explorer to view the Internet.

 

 

Good news and bad news.

 

The mbam log is clean but the hosts entries etc still remain. We'll use something else that takes the work out of it for you. The program below will allow me to formulate a script that will do everything automatically using the program.

 

 

This might produce a big log so you might have to split it into 2-3 posts and make sure you don't miss anything out - we're nearly there, you'll be able to give yourself a pat on the back after this.

 

 

Download this file by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When done, two Notepad files will open.
   
   
  
  • OTL.txt <-- Will be opened
    
  • Extras.txt <-- Will be minimized

   

   

  [*]Please post the contents of just OTL.txt in your next reply.

[Panther Rose 10]

My dear Waddler, I don't know about you but I am EXHAUSTED!!!! Is it ok if we continue this tomorrow?