http://online-scaner-software.net/secure... Malware help please.

adamw13 · 10:14 PM

A few days ago i noticed this malware poping up after searching on google. I have attached a HJT log file.

Thanks in advance for your help. This is the site shown by the malware. http://online-scaner-software.net/se...8892c5d64253db

adamw13 · 12-Dec-2009, 10:14 PM #2

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:34 PM, on 13/12/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {06534F6A-2E01-411C-9E79-0CE4FF426BDc} - C:\Windows\SysWow64\dispex32.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CooperativeAdvertiser - {1BD2970F-9DB9-F23A-1AEF-71A27DE17CAF} - C:\Program Files (x86)\CooperativeAdvertiser\CooperativeAdvertiser.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files (x86)\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files (x86)\Winamp\winampa.exe"
O4 - HKLM\..\Run: [ContentTransferWMDetector.exe] "C:\Program Files (x86)\Sony\Content Transfer\ContentTransferWMDetector.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files (x86)\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Mp4 Player] "C:\Program Files (x86)\Mp4 Player\Mp4Player.exe" hmw
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files (x86)\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~2\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hmipcore.dll
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\Windows\System32\d3dramp32.dll,C:\Windows\System32\ds32gt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files (x86)\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Update Service (gupdate1c9ace1d9e48622) (gupdate1c9ace1d9e48622) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HideMyIpSRV - Unknown owner - C:\Program Files (x86)\Hide My IP 2009\HideMyIpSrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11036 bytes

adamw13 · 14-Dec-2009, 12:14 AM #3

Bump

**dvk01** · 14-Dec-2009, 12:12 PM #4

Download OTScanIt.exe to your Desktop

Close any open browsers.
If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
Double-click on OTS.exe to start the program.
Now on the toolbar at the top select "Scan all users" then click the Run Scan button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file

If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.

adamw13 · 14-Dec-2009, 11:59 PM #5

Log was too big, so is attached. Thanks, Adam

**dvk01** · 15-Dec-2009, 05:31 PM #6

why are you using an illegal activation crack for vista

I can't help you with an ilegal copy of windows

adamw13 · 16-Dec-2009, 12:13 AM #7

When i received the PC the Vista was installed from a cracked cd, however, since then i have purchased a Vista DVD to enter a Product Key which i have in front of me. I can give the purchased product key if required and if it will allow you to continue helping with my malware issue.

Thanks

**dvk01** · 16-Dec-2009, 03:44 PM #8

you need to uninstall the cracks, and then change the product key & re activate as described here
http://www.mydigitallife.info/2007/0...a-product-key/

post back when that is done

go to

Please go here using Internet Explorer.
Click on "Windows Validation Assistant"
Click on the "Validate Now" button.
Be patient while the ActiveX loads, do not click on any links.
Read the instructions on this page while it's loading. You will be prompted to install - click YES.
Enter your product key then click "continue"
When it says "Validation Complete" please click "Continue to return to your previous activity"
Copy what it says and paste it here.

adamw13 · 12:12 AM

I'm unsure how to uninstall the old crack, but I followed the steps from the first link you posted. After entering the Product ID i received a confirmation message that the Product ID was changed to a genuine one.

I then followed the 2nd set of instructions using IE. While the setout of the web site is not exactly as shown in the instructions, the Active X loads did install and work. It did not ask me to enter the Product key though. There was no "Continue to return to your previous activity" link, but i did get the following message.

" Validation Complete!

Thank you for completing the validation process and for using genuine Microsoft software.
By using genuine Microsoft software, you can be confident that you will have access to the latest features, security, and support, which will help to improve your productivity and expand the capabilities of your computer.
You will also have access to new innovations and offerings available only to genuine Microsoft software customers. "

I hope the changing of product ID's has worked, or maybe i need more info on uninstalling the old crack.

Thanks

**dvk01** · 17-Dec-2009, 09:12 AM **#10**

we can deal with removing the crack and other malware using OTS

give me a while to prepare the fix

**dvk01** · 17-Dec-2009, 09:31 AM **#11**

Start OTS. Copy/Paste the information in the Code box below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:

[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {06534F6A-2E01-411C-9E79-0CE4FF426BDc} [HKLM] -> C:\Windows\SysWOW64\dispex32.dll [Reg Error: Value error.]
YN -> {1BD2970F-9DB9-F23A-1AEF-71A27DE17CAF} [HKLM] -> C:\Program Files (x86)\CooperativeAdvertiser\CooperativeAdvertiser.dll [CooperativeAdvertiser]
YN -> {5C255C8A-E604-49b4-9D64-90988571CECB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\Windows\System32\d3dramp32.dll -> C:\Windows\SysWow64\d3dramp32.dll
YY -> C:\Windows\System32\ds32gt32.dll -> C:\Windows\SysWow64\ds32gt32.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Vista Active Application Exception Rules > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
YN -> {37B58CDC-4467-41B8-82EB-B97C3045C444} -> profile=public | protocol=6 | dir=in | action=allow | name=rlvknlg.exe | app=c:\windows\temp\~os8b3f.tmp\rlvknlg.exe | 
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{029977ba-ea62-11db-9cf2-001a921686e9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{029977ba-ea62-11db-9cf2-001a921686e9}\shell\Open*\command -> 
YN -> \{029977ba-ea62-11db-9cf2-001a921686e9}\shell\Open*\command\\"" -> E:\MicrosoftPowerPoint.exe [E:\MicrosoftPowerPoint.exe]
YN -> \{5c5da050-c850-11de-a2f5-001a921686e9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c5da050-c850-11de-a2f5-001a921686e9}\shell\AutoRun\command -> 
YN -> \{5c5da050-c850-11de-a2f5-001a921686e9}\shell\AutoRun\command\\"" -> E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe [E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe]
YN -> \{5c5da050-c850-11de-a2f5-001a921686e9} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c5da050-c850-11de-a2f5-001a921686e9}\shell\open\command -> 
YN -> \{5c5da050-c850-11de-a2f5-001a921686e9}\shell\open\command\\"" -> E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe [E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\isi32.exe]
YN -> \{5c5da055-c850-11de-a2f5-001a921686e9} -> 
YN -> \{cf4eb9ae-08e7-11dd-b6b8-001a921691ad} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{cf4eb9ae-08e7-11dd-b6b8-001a921691ad}\shell\Open*\command -> 
YN -> \{cf4eb9ae-08e7-11dd-b6b8-001a921691ad}\shell\Open*\command\\"" -> F:\MicrosoftPowerPoint.exe [F:\MicrosoftPowerPoint.exe]
[Files/Folders - Created Within 30 Days]
NY ->  709253460 -> C:\Windows\SysWow64\709253460
NY ->  3 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp
NY ->  3 C:\Users\Adam\Documents\*.tmp files -> C:\Users\Adam\Documents\*.tmp
NY ->  10 C:\Users\Adam\Desktop\*.tmp files -> C:\Users\Adam\Desktop\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  TimerStop64.sys -> C:\Users\Adam\AppData\Local\TimerStop64.sys
NY ->  TimerStop.sys -> C:\Users\Adam\AppData\Local\TimerStop.sys
NY ->  1210347107 -> C:\Windows\SysWow64\1210347107
NY ->  410271283 -> C:\Windows\SysWow64\410271283
NY ->  dispex32.dll -> C:\Windows\SysWow64\dispex32.dll
NY ->  Nb5mNES8GAyAL.vbs -> C:\Windows\SysWow64\Nb5mNES8GAyAL.vbs
NY ->  85191 C:\Users\Adam\AppData\Local\Temp\*.tmp files -> C:\Users\Adam\AppData\Local\Temp\*.tmp
NY ->  85191 C:\Users\Adam\AppData\Local\Temp\*.tmp files -> C:\Users\Adam\AppData\Local\Temp\*.tmp
NY ->  3 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp
NY ->  3 C:\Users\Adam\Documents\*.tmp files -> C:\Users\Adam\Documents\*.tmp
NY ->  10 C:\Users\Adam\Desktop\*.tmp files -> C:\Users\Adam\Desktop\*.tmp
[Files - No Company Name]
NY ->  TimerStop64.sys -> C:\Users\Adam\AppData\Local\TimerStop64.sys
NY ->  1210347107 -> C:\Windows\SysWow64\1210347107
NY ->  410271283 -> C:\Windows\SysWow64\410271283
NY ->  dispex32.dll -> C:\Windows\SysWow64\dispex32.dll
NY ->  Nb5mNES8GAyAL.vbs -> C:\Windows\SysWow64\Nb5mNES8GAyAL.vbs
[Empty Temp Folders]
[ZipFiles]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

adamw13 · 18-Dec-2009, 05:26 PM **#12**

All the logs and issues encountered are in the notepad file attached. Thanks for your time and effort.

**dvk01** · 18-Dec-2009, 05:42 PM **#13**

you say " I did some searches on google using Firefox and there was still malware sites popping up for pc security software".

lets see what this finds

Please download Malwarebytes' Anti-Malware to your desktop
from HERE or HERE

Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

Update Malwarebytes' Anti-Malware. Launch Malwarebytes' Anti-Malware. Then click Finish.

If an update is found, it will download and install the latest version. Press Update to make sure the latest database is loaded.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please include this log in your next reply.

It might ask you to reboot to finish cleaning. Please do so. ( Press YES on the alert)
If you receive an (Error Loading xxxxxxxxxx .dll) error on reboot please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it continues on every boot

adamw13 · 18-Dec-2009, 06:10 PM **#14**

Here is the Malwarebytes' Anti-Malware log. Again i did some quick google searches and still some redirects to spyware software sites. Thanks

Malwarebytes' Anti-Malware 1.42
Database version: 3388
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

19/12/2009 10:02:58 AM
mbam-log-2009-12-19 (10-02-58).txt

Scan type: Quick Scan
Objects scanned: 93308
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 6
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cooperativeadvertiser.cooperativeadvertiser (Adware.CooperativeAdvertiser) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cooperativeadvertiser.cooperativeadvertiser.1 (Adware.CooperativeAdvertiser) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{418d86be-7386-4f1a-83e0-53604adbda74} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1bd2 970f-9db9-f23a-1aef-71a27de17caf} (Adware.CooperativeAdvertiser) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa4 2713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\DLP.dll (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\antivirus2008y (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CooperativeAdvertiser (Adware.CooperativeAdvertiser) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\PlayMP3 (Adware.PLayMP3z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antivirus2008y (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CLASSES_ROOT\AppID\(default) (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explo rer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\Adam\AppData\Roaming\Antivirus2008y (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files (x86)\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32 (Worm.Archive) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files (x86)\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\329.crack.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\330.keygen.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\331.serial.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\332.setup.zip.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\333.music.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\333.music.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\334.music2.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\334.music2.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\335.music3.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\335.music3.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\336.music4.au (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\LocalService\336.music4.au.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v4 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v4.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v5 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v5.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v6 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v6.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v7 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\mi1110336617v7.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v0 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v0.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v1 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v1.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v2 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v2.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v3 (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\SysWoW32\wu1110336617v3.kwd (Worm.Archive) -> Quarantined and deleted successfully.
C:\Windows\System32\GroupPolicy000.dat (Malware.Trace) -> Quarantined and deleted successfully.

**dvk01** · 19-Dec-2009, 07:50 AM **#15**

run ots again but this time select everything in the extras box & in the file age drop down box select 90 days

That will give a much larger report file that you will probably have to zip to be able to upload it here

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!