Cannot access my website (only on my pc)

April 8, 2011 at 15:54:19
Specs: Windows 7, t3200/3GB
Hello,

My PC is clicking randomly (like when you push the back or forward button on IE) and SearchProtocolHost.exe is constantly appearing on task manager (i have indexing disabled)
This evening i haven't been able to accces my website: www. powerlaptop .ro (This was the most visited website on my computer)
I think i am infected with a trojan or a rootkit.

Please help because i have been using all my passwords and banking details on this machine since i belive i have been infected


See More: Cannot access my website (only on my pc)

Report •


#1
April 8, 2011 at 17:00:27
Start > Run, paste services.msc & hit > Enter.

Go down to Windows Search and double click on it. Stop the service and then disable it from starting.

Do as much checking as is needed with these tools,to get things back to normal.

RootRepeal
http://sites.google.com/site/rootre...

RootKit Hook Analyzer now = SanityCheck
www.resplendence.com/sanity
Download free home edition
http://www.resplendence.com/downloa...
Advanced rootkit and malware detector for Windows 7/Vista/XP/2008/2003/2000 (x86 and x64)

Sophos Anti-Rootkit
http://www.sophos.com/products/free...

BlackLight Rootkit Elimination Technology
http://www.bleepingcomputer.com/tut...
http://fileforum.betanews.com/detai...
http://downloads.andymanchesta.com/...
http://www.f-secure.com/blacklight/

Avast anti-rootkit Edition, based upon the powerful GMER engine
http://files.avast.com/files/beta/a...

The Avenger – a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. http://swandog46.geekstogo.com/aven...
It works ONLY for Windows 2000 and XP. See here for usage and release notes. http://swandog46.geekstogo.com/aven...
If the ZIP compression format poses a problem, a non-compressed EXE is available here.
http://swandog46.geekstogo.com/aven...

Using ESET's Online Scanner
General clean up and Prep (Do prior to any AV scans)
http://www.computing.net/howtos/sho...
http://forums.majorgeeks.com/showth...
http://www.eset.eu/online-scanner
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#2
April 8, 2011 at 17:27:07
Opp's, just noticed you are W7 & when you say you have disabled Indexing, you probably have done it this way.

http://www.vistax64.com/tutorials/6...


Report •

#3
April 9, 2011 at 01:44:12
Hi, thanks for you answer!

Yes, i disabled it that way (in the properties windows for each drive) :)
I tried running Root Repeal ang got this error when starting the program: FOPS - DeviceControl Error! Error Code = 0xc0000024 Extended Info (0x000006cc)
The program starts, but when i click scan i get this error: DeviceIoControll Error! Error Code = 0x0


Report •

Related Solutions

#4
April 9, 2011 at 02:42:10
Are you W7 64bit?

Keep trying with the programs, when you are infected anything can happen.


Report •

#5
April 9, 2011 at 03:03:25
I have 32bit edition.
I now scanned with sanitycheck and no irregularities were found.
I am continuing with the scan
Thanks!

Report •

#6
April 9, 2011 at 03:07:59
Sophos Anti-Rootkit won't run any test:
Error: Could not start the helper process - unable to complete scan. Please restart and try again. Incorrect function.
Error: failed to open shared memory. Please restart and try again. The handle is invalid

Report •

#7
April 9, 2011 at 03:19:57
Backlight will not run. It says it is incompatible with this version of widows. I ignore this warning, i run it and i get an F secure Backlight has stopped working error

Report •

#8
April 9, 2011 at 03:49:29
Avenger didn't find anything

Report •

#9
April 9, 2011 at 03:57:13
Got friends arriving for dinner any minute, keep going through all the stuff.

Naturally with trillions of error combination's, I have no idea what yours mean, but it is highly unlikely you are the first in the world to have them, this is where google comes in.

Put all or parts of the error into google.

Here is an example of what I mean.

0xc0000024 Extended Info (0x000006cc)

http://tinyurl.com/426vk2y

Or,

0xc0000024

http://tinyurl.com/426vk2y


Report •

#10
April 9, 2011 at 10:05:38
My visitors are gone, a few more things to add, then I'm going to bed.

The programs that won't run, right click on & select > Run as administrator.

Here is another program to run, use the tricks to make it run, on any program.

Malwarebytes' Anti-Malware ( MBAM )
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.malwarebytes.org/mbam.php
http://www.spywareinfoforum.com/ind...
http://www.bleepingcomputer.com/vir...
Forum
http://www.malwarebytes.org/forums/
Error codes
http://forums.malwarebytes.org/inde...
Common Issues, Questions, and their Solutions, Frequently Asked Questions.
http://forums.malwarebytes.org/inde...
http://www.spywareinfoforum.com/ind...
VIPRE Rescue Program
http://vipre.malwarebytes.org/
http://live.sunbeltsoftware.com/
Try it in Safe mode with Networking.
If it won't run, rename the downloaded mbam-setup.exe file to mb.exe to help work around certain malware that will block it from being run.
If it still will not run.
1: Go to Control Panel > Programs and Features and uninstall Malwarebytes.
Next redownload Malwarebytes but rename it before you download it to your desktop. As you are in the process of downloading when you get to the point that the "enter name of file to save to" box appears, in the "filename" slot, rename mbam-setup.exe to something.exe, then click Save.
If it installed but will not run, navigate to this folder:
2: C:\Programs Files\Malwarebytes' AntiMalware
At the top of the page, Tools > Folder Options > View, click > Show hidden files and folders and untick > Hide extensions for known file types.
How to see hidden files in Windows
http://www.bleepingcomputer.com/tut...
Rename all the .exe files in the Malwarebytes' Anti-Malware folder and try to run it again.
When it opens, update 1st.
If it won't update after installing, update manually.
http://www.malwarebytes.org/mbam/da...
Download & install.


Report •

#11
April 10, 2011 at 11:43:35
Thank you for your anserws! I will try all the suggestions you gave me

Report •

#12
April 10, 2011 at 11:51:53
I would suggest you try
1- trojan remover
http://www.simplysup.com/tremover/d...
2- hitman pro
http://www.surfright.nl/en/downloads
and fix all they find

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#13
April 11, 2011 at 14:27:26
Hello!

I ran ComboFix and it found some infections, and did disinfection.
Here is the log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by IOAN at 0:24:24.06 on Tue 04/12/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2937.2091 [GMT 3:00]
.
AV: BitDefender Antivirus *Disabled/Updated* {50909708-FF80-02AF-F814-B28405891E92}
SP: BitDefender Antispyware *Disabled/Updated* {EBF176EC-D9BA-0D21-C2A4-89F67E0E542F}
FW: BitDefender Firewall *Disabled* {68AB162D-B5EF-03F7-D34B-1BB1FB5A59E9}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
E:\Program Files\BitDefender\BitDefender 2011\vsserv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
E:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Windows\system32\svchost.exe -k imgsvc
E:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
E:\Program Files\BitDefender\BitDefender 2011\updatesrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
E:\Program Files\BitDefender\BitDefender 2011\bdagent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
E:\Program Files\BitDefender\BitDefender 2011\pchooklaunch32.exe
E:\program files\common files\Java\Java Update\jusched.exe
E:\program files\Smarter Battery\SmarterBattery.exe
E:\program files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Program Files\BitDefender\BitDefender 2011\downloader.exe
C:\Windows\system32\conhost.exe
C:\Windows\Explorer.exe
C:\Users\IOAN\Desktop\desfinfectie\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - e:\program files\bitdefender\bitdefender 2011\IEToolbar.dll
uRun: [Yahoo! Pager] "e:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [AccSmart] e:\program files\smarter battery\SmarterBattery.exe
mRun: [BitDefender Antiphishing Helper] "e:\program files\bitdefender\bitdefender 2011\ieshow.exe"
mRun: [BDAgent] "e:\program files\bitdefender\bitdefender 2011\bdagent.exe"
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "e:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - e:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - e:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - e:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\users\ioan\appdata\roaming\mozilla\firefox\profiles\pchwfc5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - prefs.js: network.proxy.http - 109.185.166.114
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.type - 0
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: e:\program files\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: e:\program files\mozilla firefox\plugins\np_IEGetPlugin.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npnul32.dll
FF - plugin: e:\program files\mozilla firefox\plugins\NPOFF12.DLL
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: e:\users\ioan\appdata\local\bitmanagement software\bs contact\npBSContact.dll
FF - plugin: e:\users\ioan\appdata\local\bitmanagement software\bs contact\npBSVersion_6.dll
FF - plugin: e:\users\ioan\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\mozilla firefox 4.0 beta 10\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: BuiltWith: gary@builtwith.com - %profile%\extensions\gary@builtwith.com
FF - Ext: YSlow: yslow@yahoo-inc.com - %profile%\extensions\yslow@yahoo-inc.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com
FF - Ext: BitDefender Antiphishing Toolbar: FFToolbar@bitdefender.com - e:\program files\bitdefender\bitdefender 2011\bdaphffext
.
============= SERVICES / DRIVERS ===============
.
R1 Bdfndisf;BitDefender Firewall NDIS 6 Filter Driver;e:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2010-8-20 72784]
R1 bdfwfpf;bdfwfpf;e:\program files\common files\bitdefender\bitdefender firewall\bdfwfpf.sys [2010-8-20 88144]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-1-24 218688]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPORTIO.sys [2007-9-28 3584]
R2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2011-3-10 5152]
R2 TeamViewer6;TeamViewer 6;e:\program files\teamviewer\version6\TeamViewer_Service.exe [2010-12-1 2253176]
R2 Updatesrv;BitDefender Desktop Update Service;e:\program files\bitdefender\bitdefender 2011\updatesrv.exe [2010-10-11 43424]
R3 BDFM;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-5-13 152528]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2011-3-3 167424]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 379904]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\drivers\adusbser.sys [2011-2-9 106880]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2011-4-9 27192]
S3 Update Server;BitDefender Update Server v2;e:\program files\common files\bitdefender\bitdefender arrakis server\bin\arrakis3.exe [2010-10-11 307544]
S4 avc3;avc3;c:\windows\system32\drivers\avc3.sys [2010-6-28 633424]
S4 avckf;avckf;c:\windows\system32\drivers\avckf.sys [2010-6-28 970320]
.
=============== Created Last 30 ================
.
2011-04-11 21:16:42 -------- d-----w- e:\users\ioan\appdata\local\temp
2011-04-11 21:15:00 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-11 20:47:53 98816 ----a-w- c:\windows\sed.exe
2011-04-11 20:47:53 89088 ----a-w- c:\windows\MBR.exe
2011-04-11 20:47:53 256512 ----a-w- c:\windows\PEV.exe
2011-04-11 20:47:53 161792 ----a-w- c:\windows\SWREG.exe
2011-04-09 21:35:54 -------- d-----w- e:\program files\SopCast
2011-04-09 11:01:27 -------- d-----w- e:\program files\ESET
2011-04-09 10:04:58 -------- d-----w- e:\program files\Sophos
2011-04-09 09:27:35 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2011-04-09 09:27:34 -------- d-----w- e:\program files\SanityCheck
2011-04-08 22:55:51 -------- d-----w- e:\users\ioan\appdata\roaming\Malwarebytes
2011-04-08 22:55:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 22:55:06 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-08 22:55:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-08 22:55:02 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2011-04-05 00:51:29 -------- d-----w- e:\users\ioan\appdata\roaming\AstroGrep
2011-04-04 01:03:47 -------- d-----w- e:\users\ioan\appdata\roaming\CuteRank
2011-04-04 01:03:35 -------- d-----w- e:\program files\CuteRank
2011-03-24 06:38:16 -------- d-----w- c:\progra~2\SecTaskMan
2011-03-24 06:38:01 -------- d-----w- e:\program files\Security Task Manager
2011-03-23 21:07:09 -------- d-----w- c:\progra~2\SEO Elite
2011-03-23 21:04:11 -------- d-----w- e:\program files\SEO Elite 4
2011-03-23 19:46:16 -------- d-----w- e:\program files\BacklinkSpeed
2011-03-17 15:29:06 -------- d-----w- e:\users\ioan\appdata\local\Bitmanagement Software
2011-03-14 10:38:43 -------- d-----w- e:\program files\Trackback Spider
2011-03-13 21:14:22 -------- d-----w- c:\windows\system32\appmgmt
.
==================== Find3M ====================
.
2011-04-09 10:54:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-03 20:50:37 28672 ----a-w- C:\s3.tmp
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 17:28:07 63502 ----a-w- c:\progra~2\bdinstall.bin
2010-12-20 00:44:58 44 ---h--w- e:\program files\ed6a0e9a.tmp
2010-07-08 07:37:14 101544 ----a-w- e:\program files\common files\LinkInstaller.exe
.
============= FINISH: 0:27:04.21 ===============


Report •

#14
April 11, 2011 at 17:25:35
I have been going down the infection path, because something changed.

Here is one from Avast to try.
aswMBR
http://public.avast.com/~gmerek/asw...

Other ways of testing.
http://www.toolkitsupport.co.uk/da/...


Report •

#15
April 11, 2011 at 17:38:49
"I ran ComboFix and it found some infections, and did disinfection"

That must be on a previous log, what did it disinfect?


Report •

#16
April 12, 2011 at 00:41:30
Sorry,

Here is Combofix.txt, the log created by combofix:

ComboFix 11-04-11.01 - IOAN 04/11/2011 23:52:13.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2937.2169 [GMT 3:00]
Running from: c:\users\IOAN\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Updated* {50909708-FF80-02AF-F814-B28405891E92}
FW: BitDefender Firewall *Disabled* {68AB162D-B5EF-03F7-D34B-1BB1FB5A59E9}
SP: BitDefender Antispyware *Disabled/Updated* {EBF176EC-D9BA-0D21-C2A4-89F67E0E542F}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\7Loader.TAG
c:\windows\system32\drivers\mkgr.sys
e:\users\IOAN\AppData\Roaming\scrapebox.exe
.
c:\windows\system32\Version.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_yjhet
.
.
((((((((((((((((((((((((( Files Created from 2011-03-11 to 2011-04-11 )))))))))))))))))))))))))))))))
.
.
2011-04-11 21:06 . 2011-04-11 21:08 -------- d-----w- c:\users\IOAN\AppData\Local\temp
2011-04-11 21:06 . 2011-04-11 21:06 -------- d-----w- e:\users\IOAN\AppData\Local\temp
2011-04-11 21:06 . 2011-04-11 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-09 21:35 . 2011-04-09 21:35 -------- d-----w- e:\program files\SopCast
2011-04-09 11:01 . 2011-04-09 11:01 -------- d-----w- e:\program files\ESET
2011-04-09 10:55 . 2011-04-09 10:55 -------- d-----w- e:\program files\Common Files\Java
2011-04-09 10:04 . 2011-04-09 10:04 -------- d-----w- e:\program files\Sophos
2011-04-09 09:27 . 2010-08-23 14:07 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2011-04-09 09:27 . 2011-04-09 09:27 -------- d-----w- e:\program files\SanityCheck
2011-04-08 22:55 . 2011-04-08 22:55 -------- d-----w- e:\users\IOAN\AppData\Roaming\Malwarebytes
2011-04-08 22:55 . 2010-12-20 15:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 22:55 . 2011-04-08 22:55 -------- d-----w- c:\programdata\Malwarebytes
2011-04-08 22:55 . 2011-04-08 22:55 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2011-04-08 22:55 . 2010-12-20 15:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-05 00:51 . 2011-04-05 00:51 -------- d-----w- e:\users\IOAN\AppData\Roaming\AstroGrep
2011-04-04 01:03 . 2011-04-04 01:06 -------- d-----w- e:\users\IOAN\AppData\Roaming\CuteRank
2011-04-04 01:03 . 2011-04-04 01:05 -------- d-----w- e:\program files\CuteRank
2011-03-24 06:38 . 2011-03-24 06:38 -------- d-----w- c:\programdata\SecTaskMan
2011-03-24 06:38 . 2011-03-24 06:38 -------- d-----w- e:\program files\Security Task Manager
2011-03-23 21:07 . 2011-03-23 21:07 -------- d-----w- c:\programdata\SEO Elite
2011-03-23 21:04 . 2011-03-23 21:04 -------- d-----w- e:\program files\SEO Elite 4
2011-03-23 19:46 . 2011-03-24 01:25 -------- d-----w- e:\program files\BacklinkSpeed
2011-03-17 15:29 . 2011-03-17 15:29 -------- d-----w- e:\users\IOAN\AppData\Local\Bitmanagement Software
2011-03-16 22:10 . 2011-03-16 22:10 -------- d-----w- c:\users\Administrator
2011-03-14 14:34 . 2011-03-14 14:35 -------- d-----w- e:\users\IOAN\AppData\Roaming\Download Manager
2011-03-14 10:38 . 2011-03-14 10:50 -------- d-----w- e:\program files\Trackback Spider
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-09 10:54 . 2011-02-02 17:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-10 02:04 . 2011-03-10 02:04 5152 ----a-w- c:\windows\system32\drivers\io.sys
2011-03-03 20:50 . 2011-03-03 20:50 28672 ----a-w- C:\s3.tmp
2011-02-19 05:33 . 2011-03-09 13:15 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-09 13:15 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-09 13:15 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-03 05:45 . 2011-02-08 22:34 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-23 21:47 . 2011-01-23 21:47 218688 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2011-01-23 20:14 . 2011-01-23 20:14 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-01-20 17:28 . 2011-01-20 17:19 63502 ----a-w- c:\programdata\bdinstall.bin
2010-12-20 00:44 . 2010-12-21 12:44 44 ---h--w- e:\program files\ed6a0e9a.tmp
2010-07-08 07:37 . 2010-07-08 07:37 101544 ----a-w- e:\program files\Common Files\LinkInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="e:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 4662776]
"AccSmart"="e:\program files\Smarter Battery\SmarterBattery.exe" [2011-01-31 1176064]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitDefender Antiphishing Helper"="e:\program files\BitDefender\BitDefender 2011\ieshow.exe" [2010-10-11 71216]
"BDAgent"="e:\program files\BitDefender\BitDefender 2011\bdagent.exe" [2010-11-25 1413312]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Malwarebytes' Anti-Malware (reboot)"="e:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"SunJavaUpdateSched"="e:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 adusbser;AnyDATA USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\adusbser.sys [2009-11-06 106880]
R3 aswArKrn;aswArKrn;c:\users\IOAN\AppData\Local\Temp\aswArKrn.sys [x]
R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2010-08-23 27192]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 Update Server;BitDefender Update Server v2;e:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe [2010-10-11 307544]
R4 avc3;avc3;c:\windows\system32\DRIVERS\avc3.sys [2010-06-28 633424]
R4 avckf;avckf;c:\windows\system32\DRIVERS\avckf.sys [2010-06-28 970320]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-01-23 721904]
S1 Bdfndisf;BitDefender Firewall NDIS 6 Filter Driver;e:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys [2010-08-20 72784]
S1 bdfwfpf;bdfwfpf;e:\program files\Common Files\BitDefender\BitDefender Firewall\bdfwfpf.sys [2010-08-20 88144]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-01-23 218688]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 DLPortIO;DriverLINX Port I/O Driver; [x]
S2 io.sys;IO.DLL Driver;c:\windows\system32\drivers\io.sys [2011-03-10 5152]
S2 TeamViewer6;TeamViewer 6;e:\program files\TeamViewer\Version6\TeamViewer_Service.exe [2011-01-25 2253176]
S2 Updatesrv;BitDefender Desktop Update Service;e:\program files\BitDefender\BitDefender 2011\updatesrv.exe [2010-10-11 43424]
S3 BDFM;BDFM;c:\windows\system32\DRIVERS\bdfm.sys [2010-05-13 152528]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-06-24 167424]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2010-03-31 379904]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3011662876-2074475395-1788521505-1000Core.job
- e:\users\IOAN\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-23 15:04]
.
2011-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3011662876-2074475395-1788521505-1000UA.job
- e:\users\IOAN\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-23 15:04]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - e:\users\IOAN\AppData\Roaming\Mozilla\Firefox\Profiles\pchwfc5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - prefs.js: network.proxy.http - 109.185.166.114
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\program files\Mozilla Firefox 4.0 Beta 10\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Firebug: firebug@software.joehewitt.com - %profile%\extensions\firebug@software.joehewitt.com
FF - Ext: BuiltWith: gary@builtwith.com - %profile%\extensions\gary@builtwith.com
FF - Ext: YSlow: yslow@yahoo-inc.com - %profile%\extensions\yslow@yahoo-inc.com
FF - Ext: Web Developer: {c45c406e-ab73-11d8-be73-000a95be3b12} - %profile%\extensions\{c45c406e-ab73-11d8-be73-000a95be3b12}
FF - Ext: SearchStatus: {d57c9ff1-6389-48fc-b770-f78bd89b6e8a} - %profile%\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
FF - Ext: Page Speed: {e3f6c2cc-d8db-498c-af6c-499fb211db97} - %profile%\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
FF - Ext: Test Pilot: testpilot@labs.mozilla.com - %profile%\extensions\testpilot@labs.mozilla.com
FF - Ext: BitDefender Antiphishing Toolbar: FFToolbar@bitdefender.com - e:\program files\BitDefender\BitDefender 2011\bdaphffext
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3248)
c:\windows\system32\CSCAPI.dll
e:\program files\BitDefender\BitDefender 2011\pchook32.dll
c:\windows\System32\gameux.dll
c:\windows\system32\msutb.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\windows\system32\taskhost.exe
e:\program files\BitDefender\BitDefender 2011\pchooklaunch32.exe
c:\windows\system32\conhost.exe
e:\program files\Yahoo!\Messenger\ymsgr_tray.exe
e:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
e:\program files\BitDefender\BitDefender 2011\downloader.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2011-04-12 00:16:29 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-11 21:16
.
Pre-Run: 1,642,721,280 bytes free
Post-Run: 1,741,471,744 bytes free
.
- - End Of File - - BE275002A4533480FCBE7C3757BE5FEE


Report •

#17
April 12, 2011 at 04:26:47
Ok, thanks for the extra log, is this your IP?

FF - prefs.js: network.proxy.http - 109.185.166.114

http://tinyurl.com/3ldmnma


Report •

#18
April 12, 2011 at 05:11:32
Hi! Tanks for your help!

No, that is not my ip :(


Report •

#19
April 12, 2011 at 05:35:52
It's on your Combo log, use the google link to find out how to remove.

Report •

#20
April 12, 2011 at 06:31:11
Hi john,

I don't know what to remove, all i see there are lists of spammer's IP, but nothing on how to remove the infection. Is it a infection? I don't know what to remove

Thanks!


Report •

#21
April 12, 2011 at 08:18:02
read response #12

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#22
April 12, 2011 at 12:41:01
Hi xpuser, i used both the programs you posted but they didn't find anything...

If it is any help to you, this is how i got infected:
http://www.blackhatworld.com/blackh...


Report •

#23
April 12, 2011 at 12:46:19
Here it is, how it works:
http://www.blackhatmoneymaker.com/f...

Report •

#24
April 12, 2011 at 12:48:34
If i cannot fix this this night, i will format my entire HDD and make a fresh install of windows. Also i will change all my passwords....
I am so sorry i tried to use that cracked software.... :(

Report •

#25
April 12, 2011 at 12:48:39
I have no idea what you are getting at?

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#26
April 12, 2011 at 13:23:02
John, i found out that "Ok, thanks for the extra log, is this your IP?
FF - prefs.js: network.proxy.http - 109.185.166.114" this ip was a .md proxy used by me to do local searches on google.md so it represents no threat.

My computer is still clicking like internet explorer when clicking on the next or back button...


Report •

#27
April 12, 2011 at 16:05:29
pitox, if you have run all the virus/trojan/rootkit checks listed on this page, you are apparently clean.

"My computer is still clicking like internet explorer when clicking on the next or back button..."
Now it could be anything, dust/overheating, hard drive, error messages.

1: Take a cover off & clean out the dust, put an external fan on & see if it behaves with the extra cooling. Make sure all the fans ( including the power supply ) are spinning fast, with the power off, give them a spin with a matchstick to make sure they not stuck.

Curing Laptop/Notebook Overheating
http://moourl.com/fb7u8
http://moourl.com/dvgjb
http://moourl.com/syvjr
http://moourl.com/fzp1f
http://moourl.com/uprms
Cleaning a Laptop/Notebook Computer
http://mobileoffice.about.com/od/us...
http://lifehacker.com/software/life...

Information about cleaning computer components
http://www.computerhope.com/cleanin...
http://www.wiscocomputing.com/artic...
http://www.librarysupportstaff.com/...
http://www.bleepingcomputer.com/tut...
Getting The Grunge Out Of Your PC, Fred Langa cleans the dirtiest PC he can find, and along the way shows you how you can easily tackle yours.
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
http://www.informationweek.com/stor...
Quiet noisy computer fans with a drop of oil
http://techrepublic.com.com/5100-62...

2: Remove the current Hard Drive & try another Hard Drive, even one with W95 or W98 on, you will then be able to hear if you still get the clicking.


Report •

#28
April 12, 2011 at 16:14:34
3: Run Checkdisk on the W7 drive.
How to Run Disk Check in Vista & Windows 7 (W7)
http://www.winvistaclub.com/f20.html
http://www.sevenforums.com/tutorial...

4:
Event Log Explorer
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.eventlogxp.com/
http://www.eventlogxp.com/download/...
Or,
MyEventViewer
http://www.softpedia.com/get/System...
http://www.softpedia.com/progScreen...
http://www.nirsoft.net/utils/my_eve...

5: Run ATF ( no install ) For Vista & W7, right click on the exe & select Administrator.
ATF Cleaner
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://www.atribune.org/
http://www.atribune.org/index.php?o...
Forum
http://www.atribune.org/forums/
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
This will remove all files from the items that are checked so if you have some cookies you'd like to save, please move them to a different directory first, or use CCleaner. http://img830.imageshack.us/i/cclea...

6: PC clicking randomly
http://tinyurl.com/67zscml


Report •

#29
April 14, 2011 at 01:54:35
Hi John. It seems that the clicking has stopped. Thank you very much for your help. I have run again all the diagnostic tools you provided me and nothing was found. So i guess i am clean.

Thank you so much for your time


Report •

#30
April 14, 2011 at 02:43:44
That's Ok pitox, I enjoy the challenge.

Keep in mind, dust is a big problem with comps & it won't hurt to run Chkdsk.

Also, make sure you have the latest service pack & updates.


Report •

#31
April 16, 2011 at 18:11:57
Hi! Back again. Just wanted to say that i am the most stupid person alive. 'till this night i was 110% convinced that the clicking was coming from my speakers.
I just realised now that the clicking was coming from the HDD. I think maybe the clicking was there before but i didn't pay attention to it and i started to hear it only after i was sure i was infected with some malware and became paranoic about the clicking :)
Any ideeas about the HDD clicking? Is it the beginning of the end for it?

Report •

#32
April 17, 2011 at 23:57:12
"Is it the beginning of the end for it?"

Been away pitox, yes it is.

hard drive clicking

http://tinyurl.com/3auyg4z


Report •


Ask Question