WiredWX Hobby Weather ToolsLog in

 


win32.downloader.dequ

3 posters

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Nah, it's fine. We'll have to work around and it and try to remove what's stopping ComboFix from running.

Please download aswMBR from here


  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below


win32.downloader.dequ - Page 2 AswMBR_Scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives


  • Once the scan finishes click Save log to save the log to your Desktop
    win32.downloader.dequ - Page 2 AswMBR_SaveLog

  • Copy and paste the contents of aswMBR.txt back here for review

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
I hope this worked

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-31 12:31:26
-----------------------------
12:31:26.703 OS Version: Windows 5.1.2600 Service Pack 3
12:31:26.703 Number of processors: 2 586 0x6B02
12:31:26.703 ComputerName: BRUCE-A95ED2DF2 UserName: Bruce
12:31:27.937 Initialize success
12:31:28.671 AVAST engine defs: 11073100
12:31:40.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
12:31:40.625 Disk 0 Vendor: ST340212 3.04 Size: 38162MB BusType: 3
12:31:40.625 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0
12:31:40.625 Disk 1 Vendor: ST350083 3.AA Size: 476940MB BusType: 3
12:31:40.625 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS f72d040e
12:31:40.640 Disk 0 MBR read successfully
12:31:40.640 Disk 0 MBR scan
12:31:40.640 Disk 0 Windows XP default MBR code
12:31:40.640 Disk 0 scanning sectors +78156288
12:31:40.640 Disk 0 scanning C:\WINDOWS\system32\drivers
12:31:59.265 Service scanning
12:32:00.031 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
12:32:00.593 Modules scanning
12:32:53.609 Disk 0 trace - called modules:
12:32:53.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
12:32:53.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8656a030]
12:32:53.640 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000063[0x86573168]
12:32:53.640 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path0Target0Lun0[0x86584a38]
12:32:54.625 AVAST engine scan C:\WINDOWS
12:33:04.656 AVAST engine scan C:\WINDOWS\system32
12:34:37.609 AVAST engine scan C:\WINDOWS\system32\drivers
12:34:52.500 AVAST engine scan C:\Documents and Settings\Bruce
12:36:14.437 AVAST engine scan C:\Documents and Settings\All Users
12:37:16.453 Scan finished successfully
12:40:06.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
12:40:06.312 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"


aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-07-31 12:31:26
-----------------------------
12:31:26.703 OS Version: Windows 5.1.2600 Service Pack 3
12:31:26.703 Number of processors: 2 586 0x6B02
12:31:26.703 ComputerName: BRUCE-A95ED2DF2 UserName: Bruce
12:31:27.937 Initialize success
12:31:28.671 AVAST engine defs: 11073100
12:31:40.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0
12:31:40.625 Disk 0 Vendor: ST340212 3.04 Size: 38162MB BusType: 3
12:31:40.625 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts1Port2Path1Target1Lun0
12:31:40.625 Disk 1 Vendor: ST350083 3.AA Size: 476940MB BusType: 3
12:31:40.625 Device \Driver\nvgts -> DriverStartIo SCSIPORT.SYS f72d040e
12:31:40.640 Disk 0 MBR read successfully
12:31:40.640 Disk 0 MBR scan
12:31:40.640 Disk 0 Windows XP default MBR code
12:31:40.640 Disk 0 scanning sectors +78156288
12:31:40.640 Disk 0 scanning C:\WINDOWS\system32\drivers
12:31:59.265 Service scanning
12:32:00.031 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
12:32:00.593 Modules scanning
12:32:53.609 Disk 0 trace - called modules:
12:32:53.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS nvgts.sys
12:32:53.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8656a030]
12:32:53.640 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000063[0x86573168]
12:32:53.640 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Scsi\nvgts1Port2Path0Target0Lun0[0x86584a38]
12:32:54.625 AVAST engine scan C:\WINDOWS
12:33:04.656 AVAST engine scan C:\WINDOWS\system32
12:34:37.609 AVAST engine scan C:\WINDOWS\system32\drivers
12:34:52.500 AVAST engine scan C:\Documents and Settings\Bruce
12:36:14.437 AVAST engine scan C:\Documents and Settings\All Users
12:37:16.453 Scan finished successfully
12:40:06.312 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
12:40:06.312 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"
12:43:31.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\MBR.dat"
12:43:31.234 The log file has been saved successfully to "C:\Documents and Settings\Bruce\Desktop\aswMBR.txt"


descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Hi,

win32.downloader.dequ - Page 2 Bf_new Please download Malwarebytes Anti-Malware from Here.


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7344

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/1/2011 8:22:55 AM
mbam-log-2011-08-01 (08-22-30).txt

Scan type: Quick scan
Objects scanned: 186590
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF} (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0} (Adware.SmartShopper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BCB5337-EC01-4E38-840C-A964F174255B} (Adware.SmartShopper) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0BDA0769-FD72-49F4-9266-E1FB004F4D8F} (PUP.Dealio.TB) -> Value: {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\iobit toolbar\IE\4.3\iobittoolbarie.dll (PUP.Dealio.TB) -> No action taken.

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Hi,

Did you remove the detections? It says: No Action Taken.

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
I ran the Malware program again and it says ...No Malicious Items Detected.. and this is the report

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7344

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/2/2011 8:27:51 AM
mbam-log-2011-08-02 (08-27-50).txt

Scan type: Quick scan
Objects scanned: 191293
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Hi,

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=b522dbbfd0732347a5cef0fcfe4795b9
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-03 06:07:14
# local_time=2011-08-03 02:07:14 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768381 100 100 34024963 152203565 0 34120019
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 0 34143697 0 0
# scanned=91988
# found=8
# cleaned=8
# scan_time=15617
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Application Updater\ApplicationUpdater.exe probably a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{11CD7696-EA07-4D4C-8752-11BE9FED7CC5}\RP416\A0127453.exe a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{11CD7696-EA07-4D4C-8752-11BE9FED7CC5}\RP416\A0127454.dll a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{11CD7696-EA07-4D4C-8752-11BE9FED7CC5}\RP416\A0127455.exe Win32/RegistryBooster application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{11CD7696-EA07-4D4C-8752-11BE9FED7CC5}\RP416\A0127456.exe probably a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Hi,

How's your computer running now?

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
There seems to be no difference regarding the "win32.downloader.dequ virus...but now I cannot access GeekPolice through Internet Explorer because it keeps booting me out.
Therefore I have to use Firefox to contact you.

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
Does it give you a specific file path? For example: C:\Folder\Folder\File.exe?

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
In the path at the top of the page when I use Internet Explorer it reads

res://ieframe.dll/acr_error.htm#GeekPolice.net,http://www.GeekPolice.net/t27720-win32downloaderdequ

is this what you mean ???

Then this keeps coming up on my screen

We were unable to return you to GeekPolice.net.

Internet Explorer has stopped trying to restore this website. It appears that the website continues to have a problem.
What you can do:
Go to your home page

Try to return to GeekPolice.net



descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
No, the filepath of the win32.downloader.dequ detection. Does it give you a filepath for that?

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
http://www.GeekPolice.net/t27720-win32downloaderdequ


Is this the file path that you mean ???

If it is not...where do I find it ??

descriptionwin32.downloader.dequ - Page 2 EmptyRe: win32.downloader.dequ

more_horiz
No, that is the URL of this thread.

Your antivirus should show the detection and where it was located. For example, C:\Windows\System32\Malware.exe

Does your antivirus show this?
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum