Adware is shutting off internet! Help!

M

Marshall97

New Member
Alright, I got some quite nasty adware, and it as quite malicious ( You know the whole fake antivirus bit) So, with it shutting down every program I opened I somehow with a fit of rage clicking opened windows defender and got rid of it (Keep in mind I have hijack this, malware bytes, webroot spy sweeper [It's expired though]) So I found the file so cleverly named bijrjijbji and tried to delete it. Bad mistake it came back full force, managed windows defender to supress it and it just sits there, but it managed to cut off my internet just the browsers, I can go on WoW and Ventrilo. But no google chrome or internet explorer.

So tl;dr Got adware that cut off my internet browers. proxy business. and what not. I am posting from another computer, so mind you I have no logs (Also as another note, Webroot Mbam, and Windows defender can't pick it up. After I removed the main spam)
Any suggestions? :confused:
 
You may have to boot to safe mode with networking and download this program and run it. Or you can download it to a flash drive and transfer it to the desktop of the infected computer and run it. However, when you download it and save it, save it as combo-fix, not combofix which is the default.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
johnb35 said:
You may have to boot to safe mode with networking and download this program and run it. Or you can download it to a flash drive and transfer it to the desktop of the infected computer and run it. However, when you download it and save it, save it as combo-fix, not combofix which is the default.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
Click to expand...
Alright, Ill give it a try. But, you're saying with safe mode networking I can access the internet?
As In because now, I can't from my other computer because of "Proxy" Issues
 
Go into internet options and click on the connections tab, then click on lan settings button, then remove the checks from the proxy server boxes.
 
Wow I feel stupid, I am now on affected computer. As I said the adware isn't present at this moment I removed it but the file it originated from is still there hence everytime i delete it it comes back, do I still have to run safe mode? Because I can still download things without it popping up and ruining my good times
 
Pretty Sure I saw it got deleted Here are the logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:57 PM, on 8/6/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\PictureMover\Bin\PictureMover.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Windows\explorer.exe
C:\Users\Marshall\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Marshall\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Marshall\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13920&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [hpsysdrv] "c:\hp\support\hpsysdrv.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Health Check Scheduler] "c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [DVDAgent] "c:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Google Update] "C:\Users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6416 bytes

And the Combo log


"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-6-3 413696]
WeGame.lnk - c:\program files\WeGame\wegame.exe [2009-7-16 1527296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ca,87,f3,35,a5,68,ca,01

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-14 570880]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-07-02 1205760]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]
S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2_X86.sys [2008-01-08 238072]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656297243-3801516935-1174647162-1001Core.job
- c:\users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-01 21:55]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656297243-3801516935-1174647162-1001UA.job
- c:\users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-01 21:55]

2009-01-06 c:\windows\Tasks\HPCeeScheduleForEudora.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-30 03:03]

2010-08-06 c:\windows\Tasks\wrSpySweeper_L4C4DC96FF8634D1B8F378459361D40F4.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-06 c:\windows\Tasks\wrSpySweeper_L4C4DC96FF8634D1B8F378459361D40F4.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-03 c:\windows\Tasks\wrSpySweeper_L926A508A80214CA0A80874F33901AF29.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-03 c:\windows\Tasks\wrSpySweeper_L926A508A80214CA0A80874F33901AF29.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1232289610\ee\AOLSoftware.exe
ActiveSetup-{BFF8B6B0-DAF6-CF92-6F4C-81BCAEAEACC9}t - c:\users\Marshall\AppData\Roaming\mswhelp.exe
ActiveSetup-{CECDFBDF-7C6B-AC6D-FD6A-7DC2E1E6301C} - c:\users\Marshall\AppData\Local\Temp\incognito.exe
AddRemove-AOL Uninstaller - c:\program files\Common Files\AOL\uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 21:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-06 21:31:14
ComboFix-quarantined-files.txt 2010-08-07 01:31

Pre-Run: 105,763,741,696 bytes free
Post-Run: 105,774,116,864 bytes free

- - End Of File - - C029A6B4978ECCE180A732A0C8832337
 
I need the whole log, you cut off the top part of it. The log will be located at C:\combofix.txt Please repost it.
 
ComboFix 10-08-06.01 - Marshall 08/06/2010 21:10:34.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1899 [GMT -4:00]
Running from: c:\users\Marshall\Downloads\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Marshall\AppData\Local\brslppjiv
c:\users\Marshall\AppData\Local\brslppjiv\egkqlxwtssd.exe
c:\users\Marshall\AppData\Roaming\data.dat

.
((((((((((((((((((((((((( Files Created from 2010-07-07 to 2010-08-07 )))))))))))))))))))))))))))))))
.

2010-08-07 01:24 . 2010-08-07 01:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-04 19:56 . 2008-03-19 15:12 1140056 ------w- c:\programdata\HP\Installer\Temp\hpzmsi01.exe
2010-07-29 05:32 . 2010-07-29 05:32 -------- d-----w- c:\users\Marshall\AppData\Roaming\Publish Providers
2010-07-29 05:30 . 2010-07-29 20:50 -------- d-----w- c:\users\Marshall\AppData\Roaming\Sony
2010-07-29 05:30 . 2010-07-29 05:30 -------- d-----w- c:\users\Marshall\AppData\Local\Sony
2010-07-29 05:27 . 2009-05-20 20:17 -------- d-----w- c:\users\Marshall\Sony.Products.Multikeygen.v1.5.Keygen.Only-DI
2010-07-29 05:23 . 2010-07-29 05:23 -------- d-----w- c:\programdata\Sony
2010-07-29 05:22 . 2010-07-29 05:22 -------- d-----w- c:\program files\Sony
2010-07-28 06:19 . 2010-07-28 06:19 -------- d-----w- c:\program files\iPod
2010-07-28 06:13 . 2010-07-28 06:13 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 05:56 . 2010-07-20 05:56 -------- d-----w- c:\users\Marshall\AppData\Local\ElevatedDiagnostics
2010-07-20 05:08 . 2010-07-20 05:12 -------- d-----w- c:\program files\Microsoft ATS
2010-07-19 03:55 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-07-19 03:55 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-07-19 03:53 . 2010-07-28 06:20 -------- d-----w- c:\program files\iTunes
2010-07-19 03:47 . 2010-07-19 03:49 -------- d-----w- c:\program files\QuickTime
2010-07-19 03:38 . 2010-07-19 03:38 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-05 23:05 . 2010-01-05 09:18 -------- d-----w- c:\program files\wowmodelview-r672
2010-08-05 00:05 . 2009-07-01 23:39 -------- d-----w- c:\users\Marshall\AppData\Roaming\uTorrent
2010-08-04 23:35 . 2009-10-12 03:28 -------- d-----w- c:\program files\IZArc
2010-07-30 18:57 . 2009-07-02 01:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 00:42 . 2009-07-16 22:43 -------- d-----w- c:\program files\WeGame
2010-07-28 06:19 . 2010-04-19 23:42 -------- d-----w- c:\program files\Common Files\Apple
2010-07-19 04:22 . 2009-07-02 00:03 -------- d-----w- c:\users\Marshall\AppData\Roaming\Apple Computer
2010-07-15 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-25 07:01 . 2010-06-25 07:01 -------- d-----w- c:\program files\Microsoft.NET
2010-06-22 18:56 . 2009-08-19 21:06 -------- d-----w- c:\programdata\Blizzard Entertainment
2010-05-26 17:06 . 2010-06-10 19:48 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 19:48 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-03 03:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-07-30 14:43 . 2008-07-30 14:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-05-13 19:34 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-07-01 133104]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-08-25 288048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-20 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-03-26 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-03-29 2145000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2009-05-13 6345840]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe [2008-6-3 413696]
WeGame.lnk - c:\program files\WeGame\wegame.exe [2009-7-16 1527296]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ca,87,f3,35,a5,68,ca,01

R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-04-02 234888]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-14 570880]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
S2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [2010-03-29 134024]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys [2010-03-29 96896]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-07-02 1205760]
S3 HSXHWBS3;HSXHWBS3;c:\windows\system32\DRIVERS\HSXHWBS3.sys [2008-02-12 207360]
S3 WUSB54GSCv2.NTx86;Compact Wireless-G USB Network Adapter with SpeedBooster Service;c:\windows\system32\DRIVERS\WUSB54GSCV2_X86.sys [2008-01-08 238072]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656297243-3801516935-1174647162-1001Core.job
- c:\users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-01 21:55]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-656297243-3801516935-1174647162-1001UA.job
- c:\users\Marshall\AppData\Local\Google\Update\GoogleUpdate.exe [2009-07-01 21:55]

2009-01-06 c:\windows\Tasks\HPCeeScheduleForEudora.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-07-30 03:03]

2010-08-06 c:\windows\Tasks\wrSpySweeper_L4C4DC96FF8634D1B8F378459361D40F4.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-06 c:\windows\Tasks\wrSpySweeper_L4C4DC96FF8634D1B8F378459361D40F4.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-03 c:\windows\Tasks\wrSpySweeper_L926A508A80214CA0A80874F33901AF29.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]

2010-08-03 c:\windows\Tasks\wrSpySweeper_L926A508A80214CA0A80874F33901AF29.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-07-02 19:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13920&l=dis
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Presario&pf=cndt
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6522
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-HostManager - c:\program files\Common Files\AOL\1232289610\ee\AOLSoftware.exe
ActiveSetup-{BFF8B6B0-DAF6-CF92-6F4C-81BCAEAEACC9}t - c:\users\Marshall\AppData\Roaming\mswhelp.exe
ActiveSetup-{CECDFBDF-7C6B-AC6D-FD6A-7DC2E1E6301C} - c:\users\Marshall\AppData\Local\Temp\incognito.exe
AddRemove-AOL Uninstaller - c:\program files\Common Files\AOL\uninstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-06 21:25
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-06 21:31:14
ComboFix-quarantined-files.txt 2010-08-07 01:31

Pre-Run: 105,763,741,696 bytes free
Post-Run: 105,774,116,864 bytes free

- - End Of File - - C029A6B4978ECCE180A732A0C8832337
 
Please rerun hijackthis and place checks next to the following entries.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:6522
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Marshall\AppData\Local\Google\Update\Goo gleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - Global Startup: PictureMover.lnk = C:\Program Files\PictureMover\Bin\PictureMover.exe
O4 - Global Startup: WeGame.lnk = C:\Program Files\WeGame\wegame.exe

Then click on fix checked at the bottom.

I noticed an entry in your combofix log that you have a keygen on your system. I highly recommend to uninstall it and buy the program legally.

c:\users\Marshall\Sony.Products.Multikeygen.v1.5.K eygen.Only-DI

Most keygens are infected with malware.

Please download the following so we may check the security of your system.

Download Security Check from here or here
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.
 
Yeah, My brother mentioned the whole keygen thing to me, Of course it didn't work, he had the same adware on his computer. Anyway, Uhm about WeGame, that's a video capturing thing for WoW, when Hijackthis 'Fixes' Does it Delete it? And I'll find the keygen and delete it. worthless thing. Just a few questions.
 
No, it doesn't delete it, it just stops it from starting when you boot up the computer. You can always start it manually.
 
Alright, Fixed the items on HiJackthis, and here's the log for security check.


Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 2 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET NOD32 Antivirus
Webroot AntiVirus with AntiSpyware
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 21
Java(TM) SE Runtime Environment 6 Update 1
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSASCui.exe
Windows Defender MSASCui.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 
You must log in or register to reply here.
Back
Top