Go Back   Web User Forums > Security > HijackThis logs help and analysis

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-01-12, 21:50
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Heavy Adware Infection Dad's laptop

HI there, My dad's laptop has been heavily infected with adware, i have managed to get it updated and working again but i can't see if there is anything else, Anti malwarebytes comes up clean and in safe mode

I used FSecure online scan which didn't find anything, Eset online scan found another 4-5 pup adware but i can't find the log. this now comes up clean, but i had real problems with the second scan

windows kept shutting down and going into blue screen mode saying Beginning memory dump Disable BIOS memory options such as caching or shadowing" but i can't see anything in the bios about this, also tried to run SFC /SCANNOW option but it wont run at all with out the disk which no one has.



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 21:44:40, on 03/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Documents and Settings\All Users\Application Data\bProtector\bProtect.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\bProtector\bProtect.exe
C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe
C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\IPS\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: File2LinkIB - {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - C:\Program Files\file2linkib\file2linkibX.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\coIEPlg.dll
O3 - Toolbar: File2LinkIB - {c23b756a-bd9f-4ca6-aded-17ab8ccf3e8b} - C:\Program Files\file2linkib\file2linkibX.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.e xe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O20 - AppInit_DLLs: protector.dll
O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: bProtector - bProtector - C:\Documents and Settings\All Users\Application Data\bProtector\bProtect.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: Vodafone Mobile Broadband Service (VmbService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe

--
End of file - 6918 bytes
Reply With Quote
  #2  
Old 03-01-12, 21:53
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Re: Heavy Adware Infection Dad's laptop

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.29.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Computer :: COMPUTER-DD1ACD [administrator]

29/12/2011 16:46:11
mbam-log-2011-12-29 (16-46-11).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188106
Time elapsed: 4 hour(s), 8 minute(s),

Memory Processes Detected: 2
C:\Program Files\Mp3Tube Toolbar\Mp3TubeSvc.exe (Adware.Mp3Tube) -> 1696 -> Delete on reboot.
C:\Program Files\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe (Adware.Mp3Tube) -> 2080 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 16
HKLM\SYSTEM\CurrentControlSet\Services\Mp3Tube Toolbar Service (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKCR\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext \Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Mp3Tube (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\IspAssistant-Mp3Tube (Adware.Adware.MP3TubeToolBar) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNI NSTALL\HOMEPAGE PROTECTION SERVICE (Adware.Mp3Tube) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MP3 TUBE_TOOLBAR_SERVICE (Adware.Adware.MP3TubeToolBar) -> Quarantined and deleted successfully.

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Data: w|?F??3L?????q?B -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{46897C77-E7A6-4C33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{46897C77-E7A6-4c33-BFFB-E9C2E2718942} (Adware.Mp3Tube) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Homepage Protection Service|UninstallString (Adware.Mp3Tube) -> Data: C:\Program Files\Mp3Tube Toolbar\uninstall.exe hpp /S -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 3
C:\Program Files\Mp3Tube Toolbar (Adware.Mp3Tube) -> Delete on reboot.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images (Adware.Mp3Tube) -> Quarantined and deleted successfully.

Files Detected: 67
C:\Program Files\Mp3Tube Toolbar\Mp3TubeSvc.exe (Adware.Mp3Tube) -> Delete on reboot.
C:\Program Files\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe (Adware.Mp3Tube) -> Delete on reboot.
C:\Program Files\Mp3Tube Toolbar\mp3tubetb.dll (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Local Settings\Temp\4391564.Uninstall\Uninstall.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\setup (1).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\setup (2).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\setup (3).exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\setup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\SmileyCentralPFSetup2.3.96.3.Z Nchr999 (1).exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\SmileyCentralPFSetup2.3.96.3.Z Nchr999.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\My Documents\Downloads\FLVPlayerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mp3Tube Toolbar\ffmpeg.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012900.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012901.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012902.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012904.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012905.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012906.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012907.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012908.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012871.scr (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012873.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012874.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012876.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012877.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012878.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012879.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012880.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012881.SCR (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012882.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012883.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012884.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012885.EXE (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012886.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012887.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012888.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012889.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012890.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012891.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012892.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012893.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012894.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012895.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012896.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012897.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012898.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012899.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012875.DLL (PUP.FunWebProducts) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012917.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012918.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012919.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012920.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9DEB9FA7-5931-426D-8160-8A102E93851C}\RP39\A0012953.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mp3Tube Toolbar\ShowMsg.exe (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\pref.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\tbconfig.xml (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\tbconfig.xml.bak (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\dailyhotdeals.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\divider.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\feeditem.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\games.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\savemp3.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\savemp3_disabled.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\screensaver.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\shopping.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\watermark.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.
C:\Documents and Settings\Computer\Application Data\Mp3Tube Toolbar\images\weatherbug.png (Adware.Mp3Tube) -> Quarantined and deleted successfully.

(end)
Reply With Quote
  #3  
Old 03-01-12, 21:57
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Re: Heavy Adware Infection Dad's laptop

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.03.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Computer :: COMPUTER-DD1ACD [administrator]

03/01/2012 14:35:12
mbam-log-2012-01-03 (14-35-12).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201896
Time elapsed: 1 hour(s), 32 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Reply With Quote
  #4  
Old 03-01-12, 22:27
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,926
Default Re: Heavy Adware Infection Dad's laptop

MBAM certainly removed a lot of rubbish.

to make sure that is all there is :-

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #5  
Old 05-01-12, 02:46
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Re: Heavy Adware Infection Dad's laptop

Hello bricat thanks for your help, Im running into a few stalling problems now and again with combofix when it starts to scan cpu, when it isn't stalling it's been runnning for close too 6-7 hours blinking cursor with still no results all security apps have been disabled

Earlier combofix said there was and update Which i installed it then told me to note down
this, Parasites Found.... C:\WINDOWS\SYSTEM32\protector.dll.

If i run ccleaner first, would it Help combofix scan time in anyway, also to note my internet connection is only via topup dongle which i don't no if this may also affect things or not

Also there are 2 other MBAM logs that were done in safemode if you need them, more rubbish that was removed but they only appear in safemode it's self not normal boot up

snoop201
Reply With Quote
  #6  
Old 05-01-12, 03:05
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,926
Default Re: Heavy Adware Infection Dad's laptop

Go to: Start > Run
Type: services.msc
Click Enter

Maximize the Services window

Drag the separator bar between Name and Description, so you can see all the text in the Name column.

Scroll down and look for: "bProtector" < ---name of service.
Right click it and select "Properties"
Click the "Stop" button and wait for the service to be stopped.
Change the "Startup Type" from Automatic to "Disabled" (c/o drop-down menu)

Click Apply then OK

Close the Services window .


then try combofix again.
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #7  
Old 06-01-12, 20:14
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Re: Heavy Adware Infection Dad's laptop

HI bricat I tried again last night with bProtector Disabled i left it running from 7:10 till 7:30 this morning and it was still scanning it hadn't crashed though.

snoop201
Reply With Quote
  #8  
Old 07-01-12, 10:04
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,926
Default Re: Heavy Adware Infection Dad's laptop

try this :-

Download RogueKiller to your desktop
  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate by tapping Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
  #9  
Old 07-01-12, 11:47
snoop201 snoop201 is offline
Established member
 
Join Date: Feb 2005
Posts: 106
Default Re: Heavy Adware Infection Dad's laptop

here you go bricat.

RogueKiller V6.2.2 [12/31/2011] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files...3-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Computer [Admin rights]
Mode: Scan -- Date : 01/07/2012 11:33:22

??? Bad processes: 0 ???

??? Registry Entries: 5 ???
[] HKLM\[...]\Windows : () -> ACCESS DENIED
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[] HKLM\[...]\Windows : () -> ACCESS DENIED

??? Particular Files / Folders: ???

??? Driver: [LOADED] ???

??? Infection : ???

??? HOSTS File: ???
127.0.0.1 localhost


??? MBR Check: ???

+++++ PhysicalDrive0: +++++
--- User ---
[MBR] 9cdba6d09157d62567a75a7ffc560c2e
[BSP] 2bc391439963cae5022db451cf8df0e2 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 30005 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
Reply With Quote
  #10  
Old 07-01-12, 12:00
bricat's Avatar
bricat bricat is offline
Global Moderator
 
Join Date: Jun 2003
Location: belfast
Posts: 35,926
Default Re: Heavy Adware Infection Dad's laptop

Quit all running programs and run RogueKiller once again.
  1. For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  2. When prompted, type 2 and validate
  3. The RKreport.txt shall be generated next to the executable.
  4. If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.
__________________
PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.

Accept that some days you are the pigeon and some days the statue.
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 09:19.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved