Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Search Search
Search for:
Tech Support Guy > > >

Small Notebook Ruined with Malware, took a few steps already with HJT log

(New)
(!)

Nocturnatum's Avatar
Nocturnatum Nocturnatum is offline
Computer Specs
Member with 62 posts.
THREAD STARTER
 
Join Date: Mar 2008
Location: UK
Experience: Intermediate
21-Oct-2011, 05:51 PM #1
Small Notebook Ruined with Malware, took a few steps already with HJT log
Hi my friend has a small notebook, a Freedom Zoostorm... I have installed Avast free edition and scanned the device removing over 100 infections, also I am currently doing a Malwarebytes Scan. I have done a HJT scan and here is the log file:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:47:20, on 21/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SiteRanker\SiteRankTray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/disp...b_id&%language
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80366&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - (no file)
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~1\SITERA~1\SiteRank.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\PROGRA~1\APPGRA~1\APPGRA~1.DLL
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [SiteRanker] "C:\Program Files\SiteRanker\SiteRankTray.exe"
O4 - HKLM\..\Run: [PCPowerSpeed] "C:\Program Files\PCPowerSpeed\PCPowerTray.exe" /startup
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Exetender] "C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Insaniquarium%20Deluxe/Images/stg_drm.ocx
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Peggle/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF75D96D-2C77-471B-B34D-729D347254D7}: NameServer = 217.171.132.1 217.171.135.1
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: BecHelperService - Unknown owner - C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Sony Ericsson PCCompanion - Avanquest Software - C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCService.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O24 - Desktop Component 0: (no name) - http://images.azlyrics.com/phone.gif

--
End of file - 7920 bytes

Please give me the steps to clean this notebook and get it working in top shape, thanks in advance... (Many more thanks to come.)
Nocturnatum's Avatar
Nocturnatum Nocturnatum is offline
Computer Specs
Member with 62 posts.
THREAD STARTER
 
Join Date: Mar 2008
Location: UK
Experience: Intermediate
21-Oct-2011, 06:42 PM #2
Herres my latest Mbam log file but I didnt get to do a full system scan because I didnt have the time....

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7995

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/10/2011 23:35:02
mbam-log-2011-10-21 (23-35-02).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 94486
Time elapsed: 1 hour(s), 8 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 54

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\kerian.kerians\local settings\Temp\254984.uninstall\uninstall.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
c:\documents and settings\kerian.kerians\local settings\Temp\282781.uninstall\uninstall.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP165\A0299204.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP170\A0303719.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP146\A0293621.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP146\A0293623.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP146\A0293624.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP146\A0293625.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP147\A0294262.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP147\A0294266.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP148\A0294272.dll (Adware.FreezeFrog) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294367.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294370.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294371.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294372.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294373.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294374.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294375.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294376.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294377.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294378.SCR (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294380.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294381.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294382.EXE (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294383.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294384.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294385.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294386.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294387.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294388.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294389.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294390.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294391.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294392.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294393.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294394.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294395.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294396.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294398.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294399.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294401.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294402.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294403.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294404.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294405.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294406.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294379.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP149\A0294397.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP151\A0295061.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP151\A0295062.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP151\A0295063.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP154\A0295261.dll (Adware.SmartShopper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP154\A0295724.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
c:\system volume information\_restore{67ef5aac-054f-4247-b256-997f50a41534}\RP163\A0298347.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑