[mupsec]

Hey folks, Merry Christmas and Happy New Year. Very resourceful webpage you have. I'll be happy to contribute (as soon as I re-coop from Christmas lol ) if you can help me resolve this.
For the last few days I'm gettng a popup from something with an icon of a big red "X" in my systems tray. It seems to be working my Webroot Firewall pretty good. I've set the Process monitor to high which seems to have reduced the resource usage a bit from what ever was using it up. Do your magic please. Below is my Log from HiJackthis.

Thanks again. I intend to spend some quality time with your page. Looks like you have great sucess.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:50 PM, on 12/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svschost.exe
C:\WINDOWS\system32\svñshost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Stephen\Desktop\`\gxc.dll\'\Xnews.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carolinarealtors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {BB6C9487-AAD6-47EE-A3FA-5432126062F2} - (no file)
O2 - BHO: (no name) - {EAB4F9F6-5E0D-4472-9F62-CF6E74BFC7ED} - C:\WINDOWS\system32\mlJAsTkj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [Ktukefuperul] rundll32.exe "C:\WINDOWS\epavikiyitejedab.dll",e
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [svschost.exe] C:\WINDOWS\system32\svschost.exe -check
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1204869779253
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204888473865
O20 - Winlogon Notify: fcccabBu - fcccabBu.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4880 bytes

[Fred Flintstone]

Hi mupsec.. welcome to BFC..
I see you are using Webroot firewall and Spysweeper.. but not seeing an active Antivirus program in the log??
Is this a "suite" of software?? if so the antivirus needs to be running real time.
If not, there are free alternatives available, let me know when you reply!

Onwards:
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to:
  
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform full scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  
• If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then:
BitDefender Online Scan

• Click I Agree to agree to the EULA.
  
• Allow the ActiveX control to install when prompted.
  
• Click Click here to scan to begin the scan.
  
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  
• When the scan is finished, click on Click here to export the scan results.
  
• Save the report to your desktop so you can post it in your next reply.

Note: You will need to use Internet Explorer for this scan.

Please post back

• MalwareBytes (MBAM) log
  
• BitDefender log
  
• Fresh HijackThis (HJT) log

Also say how things are running now..
Thanks..
Fred..

This post has been edited by Fred Flintstone: 28 December 2008 - 10:10 AM

[mupsec]

Wow my puter is sqeeky clean!! Jeez have you ever seen such a plate full of trojans and adware. You had commented about my webroot. It acts as a Firewall, spyware and antivirus software. I was under the assumption that the virus protection was real time. I'm still looking into that. Thanks for noticing.


Malwarebytes' Anti-Malware 1.31
Database version: 1562
Windows 5.1.2600 Service Pack 2

12/28/2008 9:54:18 PM
mbam-log-2008-12-28 (21-54-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105432
Time elapsed: 1 hour(s), 33 minute(s), 42 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 32
Files Infected: 663


----------------------------------------------------------

BitDefender Online Scanner - Real Time Virus Report
Generated at: Mon, Dec 29, 2008 - 00:45:57


--------------------------------------------------------------------------------
Scan Info
Scanned Files
132570

Infected Files
26

Virus Detected

Trojan.JS.Injector.A
16

Trojan.Clicker.CM
3

Adware.SpyClean.A
2

Trojan.Script.6521
1

JS.Obfuscated.Gen
2

Trojan.Downloader.Small.ABEL
2

--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:38 AM, on 12/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.carolinarealtors.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {EAB4F9F6-5E0D-4472-9F62-CF6E74BFC7ED} - C:\WINDOWS\system32\mlJAsTkj.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com...OnlineGames.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1204869779253
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1204888473865
O20 - Winlogon Notify: fcccabBu - fcccabBu.dll (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4859 bytes

You will be seeing something from me soon in the form of a contribution. Great work!

I couldnt post the entire log from Malwarebyte scan......too long.

[Fred Flintstone]

Hi mupsec..
Glad to hear thing are running better..

I would still like to see the MBAM log to see what was removed, please post it by splitting it over several posts if necessary so I can check it while you continue with the instructions below.
You will find the log in MBAM under the "Logs" tab.

Then:
Run HijackThis
Click on do a system scan only
Place a check next to these lines(if still present)

O2 - BHO: (no name) - {EAB4F9F6-5E0D-4472-9F62-CF6E74BFC7ED} - C:\WINDOWS\system32\mlJAsTkj.dll (file missing)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sur...ge/w4sgeen9.exe
O20 - Winlogon Notify: fcccabBu - fcccabBu.dll (file missing)

Then close all windows and browsers except HijackThis and click Fix Checked

I haven't used Webroot software myself, but a little googling revealed the comments below:

Quote

Webroot's Spy Sweeper Enterprise is a standalone antispyware solution....

And

Quote

However, for Webroot to remain competitive, it needs to compete with the suite vendors by at least offering customers antivirus functionality.

Link HERE

So, it would seem that you do not have Antivirus capability in that "suite".
Antivirus and Antispyware are two very different entities requiring different protection solutions.
IE. Antivirus software offers little or no protection against Spyware (Trojans, dialers etc)
And conversely, Antispsyware is no protection against viruses.. it's just not what the programs are designed for!

Here are some FREE AntiVirus programs, please download ONLY ONE of the following programs and install it to your computer.

• AVG
  
• AntiVir
  
• avast!

Once installed, update the definitions, run a full scan and allow it to fix anything it finds.

Re-run MBAM, make sure you run updates first (This program is updated several times a day)!
Then, under the "Scanner" tab, select "Perform quick Scan".

Please post back:

• Antivirus log
  
• Fresh MBAM log
  
• Fresh HJT log

Thanks..
Fred..

[Fred Flintstone]

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.