View Full Version : Computer infected with AntivirusPro 2010
FlaCajun
2009-10-03, 23:19
Antiviruspro 2010 has somehow infected my computer.
(If needed, there is a written log of what has been done to remove this infection.)
Data files have been backed as well as possible.
The registry has been backed up.
HJT was run, but text file was not displayed.
Now, HJT will not run.
The error message is;
"Windows cannot access the specified device, path or file.
You may not have the appropriate permissions to access the file.",
even though I have admin rights.
Appreciate any help.
IndiGenus
2009-10-04, 18:17
Hello FlaCajun and welcome to the forums here at SpyBot S&D.
:welcome:
STEP 1:
Please download exeHelper by Raktor (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
STEP 2:
Save this (http://ad13.geekstogo.com/Win32kDiag.exe) file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
Post both logs and we can hopefully go from there.
FlaCajun
2009-10-04, 20:01
exeHelper was saved on the desktop and run.
A DOS window opened, then closed.
No 'exehelperlog.txt' file was posted.
Searched the C drive for any 'exehelper' files.
The only one located was the file 'exehelper.com'.
Re-ran 'exehelper.com', but no log.
The infected computer is part of a home network.
No other computers infected.
IndiGenus
2009-10-04, 20:02
Okay try running STEP 2 and see if that will run. Hopefully it will give us a log. Post that if so.
FlaCajun
2009-10-04, 21:47
Ran 'Win32Diag.exe' the program but an error message appeared.
The NTVDM CPUT has encountered an illegal instruction.
CS:0536 IP:63 72 70 74 Choose 'Close' to terminate application.
Clicked 'Ignore' and the program terminated.
Ran the program again, same error message.
Clicked 'Close'.
IndiGenus
2009-10-05, 04:41
What operating system are you running? XP or Vista?
FlaCajun
2009-10-05, 15:38
XP Professional SP3
IndiGenus
2009-10-05, 15:40
Let's see if we can go right after this with combofix.
Please read through the instructions to familiarize yourself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here (http://www.forospyware.com/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)
Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post back with the combofix log.
FlaCajun
2009-10-05, 16:23
just got the infected computer to boot up.
It performed several shutdowns by itself.
Since Task Manager doesn't work,
I downloaded 'Process Expolorer' to shut down 'Antiviruspro 2010'.
I am using another computer to post to the forum.
Should I continue with Combo Fix?
IndiGenus
2009-10-05, 16:26
If you can run combofix, yes, go for it. This PC sounds like it's in pretty bad shape, do you have your XP disc? I'm thinking maybe a repair install if we cannot get any tools to run.
FlaCajun
2009-10-05, 16:30
I have isolated the infected computer from the internet,
so that the infection can not download anything more off the internet.
I can download files from another computer to the infected computer.
Is this the way to go?
IndiGenus
2009-10-05, 18:47
I have isolated the infected computer from the internet,
so that the infection can not download anything more off the internet.
I can download files from another computer to the infected computer.
Is this the way to go?
Okay good. Yes, that is probably the best way to go right now. You could use a CD/DVD, which is the safest way. Or you can use a USB drive. You just take the chance that the USB drive will get infected when you plug it into the infected PC. To reduce the risk of that you should run FlashDisinfector.
Download Flash_Disinfector.exe by sUBs from here (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Even with using FD, I would suggest using a drive you don't have anything critical saved on. That way you can just format it when your done to be sure it's clean.
FlaCajun
2009-10-05, 21:07
ComboFix was run, but it was difficult to download on infected computer.
Initially, a window opened up with the code displayed.
Eventually, a box popped up and it was successfully saved to the desktop.
Here is the log.
ComboFix 09-10-04.01 - Raymond 10/05/2009 13:51.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.641 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\aIx11A.tmp
c:\documents and settings\All Users\Application Data\awekymyry.bin
c:\documents and settings\All Users\Application Data\canycy.bat
c:\documents and settings\All Users\Application Data\dekuha.dll
c:\documents and settings\All Users\Application Data\dijibot.vbs
c:\documents and settings\All Users\Application Data\ehatepu.lib
c:\documents and settings\All Users\Application Data\ekusaleb.scr
c:\documents and settings\All Users\Application Data\elanijudup.reg
c:\documents and settings\All Users\Application Data\igycoh.sys
c:\documents and settings\All Users\Application Data\iqesytakyq.lib
c:\documents and settings\All Users\Application Data\kebexugaq.dl
c:\documents and settings\All Users\Application Data\nydyhaz.com
c:\documents and settings\All Users\Application Data\tohakut.inf
c:\documents and settings\All Users\Application Data\vupofajo.dl
c:\documents and settings\All Users\Application Data\wiwete._sy
c:\documents and settings\All Users\Application Data\ysotujev.dl
c:\documents and settings\All Users\Documents\ekixejy.sys
c:\documents and settings\All Users\Documents\eniwityb.bat
c:\documents and settings\All Users\Documents\erozak.pif
c:\documents and settings\All Users\Documents\iweby.scr
c:\documents and settings\All Users\Documents\notapos.reg
c:\documents and settings\All Users\Documents\ubegedabi.sys
c:\documents and settings\All Users\Documents\unenif.reg
c:\documents and settings\All Users\Documents\ygyzu.inf
c:\documents and settings\Raymond\Application Data\ebej.inf
c:\documents and settings\Raymond\Application Data\ehepun.vbs
c:\documents and settings\Raymond\Application Data\emocyxohu.dll
c:\documents and settings\Raymond\Application Data\exeqoh.com
c:\documents and settings\Raymond\Application Data\fosevaluxy.exe
c:\documents and settings\Raymond\Application Data\lizkavd.exe
c:\documents and settings\Raymond\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Raymond\Application Data\mocy.vbs
c:\documents and settings\Raymond\Application Data\obop.com
c:\documents and settings\Raymond\Application Data\otyxel.exe
c:\documents and settings\Raymond\Application Data\seres.exe
c:\documents and settings\Raymond\Application Data\svcst.exe
c:\documents and settings\Raymond\Application Data\upebekur.com
c:\documents and settings\Raymond\Application Data\vecufig.com
c:\documents and settings\Raymond\Application Data\yloza.pif
c:\documents and settings\Raymond\Cookies\bahysyq.dll
c:\documents and settings\Raymond\Cookies\ciworyzeb._dl
c:\documents and settings\Raymond\Cookies\cynihijip.db
c:\documents and settings\Raymond\Cookies\geda.bin
c:\documents and settings\Raymond\Cookies\jesa.scr
c:\documents and settings\Raymond\Cookies\mosuxype.reg
c:\documents and settings\Raymond\Cookies\okofiroja.bin
c:\documents and settings\Raymond\Cookies\osyg.lib
c:\documents and settings\Raymond\Cookies\pobiz._dl
c:\documents and settings\Raymond\Cookies\qepysyduw._dl
c:\documents and settings\Raymond\Cookies\ryfite.dat
c:\documents and settings\Raymond\Cookies\vexype.exe
c:\documents and settings\Raymond\Cookies\viduwa.dat
c:\documents and settings\Raymond\Cookies\xubow.inf
c:\documents and settings\Raymond\Cookies\yliqaripot._dl
c:\documents and settings\Raymond\Local Settings\Application Data\amutaduwyx._dl
c:\documents and settings\Raymond\Local Settings\Application Data\hihamo.reg
c:\documents and settings\Raymond\Local Settings\Application Data\jinun.inf
c:\documents and settings\Raymond\Local Settings\Application Data\navur.ban
c:\documents and settings\Raymond\Local Settings\Application Data\rehuqex.dll
c:\documents and settings\Raymond\Local Settings\Application Data\relenoqa._dl
c:\documents and settings\Raymond\Local Settings\Application Data\rifubojo.inf
c:\documents and settings\Raymond\Local Settings\Application Data\ujyvim._dl
c:\documents and settings\Raymond\Local Settings\Application Data\usiz.dll
c:\documents and settings\Raymond\Local Settings\Application Data\ymaq.dll
c:\documents and settings\Raymond\Local Settings\Application Data\zoturubam._dl
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\cibo.dat
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\ehekur.ban
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\emifem.exe
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\hyfe.dll
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\icev.pif
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\ivewacohe.dat
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\kewo.com
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\qaryheq.bin
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\sejad.dll
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\urofosoti.sys
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\dipyzuh.scr
c:\program files\Common Files\hamys.reg
c:\program files\Common Files\ibawihadoc._dl
c:\program files\Common Files\kumyces.bin
c:\program files\Common Files\lajora.reg
c:\program files\Common Files\oradyryxi.ban
c:\program files\Common Files\yluquzec.reg
c:\windows\afoj.bin
c:\windows\cidyjocad.dl
c:\windows\edukusen.ban
c:\windows\emygybymyq.vbs
c:\windows\esunewyw.inf
c:\windows\foga.dll
c:\windows\hamiq.inf
c:\windows\ikyzasa.dl
c:\windows\isucimoce.ban
c:\windows\isylebo.inf
c:\windows\kygemadik.reg
c:\windows\mynudiha.sys
c:\windows\nomoq.sys
c:\windows\obituzawy.dl
c:\windows\ocavazydo.vbs
c:\windows\povomar.pif
c:\windows\qaqe.bat
c:\windows\qeromunoci.bat
c:\windows\qujuwopa.reg
c:\windows\rera.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\asewohet.sys
c:\windows\system32\awixakoduh.vbs
c:\windows\system32\byxuzekod.reg
c:\windows\system32\drivers\gasfkyebwupqoy.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ewunekexe.bat
c:\windows\system32\gicogyjy.vbs
c:\windows\system32\jofu.sys
c:\windows\system32\lyjyxysofi.exe
c:\windows\system32\osihutig.bin
c:\windows\system32\pabogumo.pif
c:\windows\system32\qabekus.inf
c:\windows\system32\rejobedil._dl
c:\windows\system32\ulacesa.inf
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yqeb.reg
c:\windows\system32\ysyrobohaj.scr
c:\windows\tipok.dl
c:\windows\unataqu._dl
c:\windows\utolimasu.exe
c:\windows\vizeqodub.dl
c:\windows\xubifobaf._dl
c:\windows\ybewy.dll
c:\windows\yjedywymav.exe
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.
2009-10-05 17:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-05 17:42 . 2009-10-05 17:42 -------- d--h--w- c:\windows\PIF
2009-10-05 13:17 . 2009-10-05 13:17 11942 ----a-w- c:\windows\ylidazuse.dat
2009-10-05 00:13 . 2009-10-05 00:13 -------- d-----w- c:\program files\Temp
2009-10-05 00:12 . 2009-10-05 00:12 -------- d-----w- c:\program files\Ttemp
2009-10-03 19:56 . 2009-10-05 00:11 -------- d-----w- c:\program files\Trend Micro
2009-10-03 19:49 . 2009-10-03 19:49 -------- d-----w- c:\program files\ERUNT
2009-10-01 20:16 . 2009-10-01 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 18:28 . 2009-10-01 20:33 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-01 18:05 . 2009-10-01 18:05 14893 ----a-w- c:\windows\yhiqyxe.dat
2009-10-01 17:49 . 2009-10-01 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-01 17:48 . 2009-10-01 17:48 -------- d-----w- c:\program files\Common Files\iS3
2009-10-01 17:48 . 2009-10-01 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-01 13:11 . 2009-10-01 13:11 10501 ----a-w- c:\windows\urihito.dat
2009-10-01 04:12 . 2009-10-01 04:12 17640 ----a-w- c:\windows\unedoto.com
2009-10-01 04:12 . 2009-10-01 04:12 11951 ----a-w- c:\windows\okokejo.dat
2009-10-01 04:05 . 2009-10-01 04:05 12362 ----a-w- c:\windows\zapi.dat
2009-10-01 03:29 . 2009-10-05 13:16 0 ----a-r- c:\windows\win32k.sys
2009-10-01 03:29 . 2009-10-01 03:29 57856 ----a-w- C:\vklebc.exe
2009-10-01 03:29 . 2009-10-01 03:29 46592 ----a-w- C:\hrngen.exe
2009-10-01 03:29 . 2009-10-01 03:29 52736 ----a-w- C:\afuqr.exe
2009-10-01 03:29 . 2009-10-01 03:29 12288 ----a-w- C:\qtpjjuur.exe
2009-10-01 03:29 . 2009-10-01 03:29 6144 ----a-w- C:\avjelge.exe
2009-10-01 03:28 . 2009-10-01 03:29 79360 ----a-w- C:\aefxixl.exe
2009-10-01 03:28 . 2009-10-01 03:29 17920 ----a-w- C:\qgferewy.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 17:43 . 2008-10-24 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 17:28 . 2008-10-24 21:45 -------- d-----w- c:\program files\McAfee
2009-10-05 16:04 . 2008-10-25 02:31 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-05 13:17 . 2009-10-05 13:17 15281 ----a-w- c:\program files\Common Files\exagim._sy
2009-10-01 20:37 . 2008-10-24 14:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 04:12 . 2009-10-01 04:12 10079 ----a-w- c:\documents and settings\Raymond\Application Data\uwudorexiq.dat
2009-09-29 20:05 . 2009-02-11 13:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\U3
2009-09-28 13:37 . 2008-10-24 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-16 16:32 . 2008-10-24 21:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 17:44 . 2008-10-24 21:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2008-10-24 21:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2008-10-24 21:45 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2008-10-24 21:45 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2008-10-24 21:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\documents and settings\Raymond\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-10-29 253952]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-mserv - c:\documents and settings\Raymond\Application Data\svcst.exe
HKLM-Run-eDataSecurity Loader - c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 13:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3492)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-05 14:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 18:03
Pre-Run: 67,637,608,448 bytes free
Post-Run: 69,542,277,120 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
333 --- E O F --- 2008-10-23 20:20
IndiGenus
2009-10-05, 21:36
Wow, that is quite a collection of stuff you picked up there.
1. Open Notepad
2. Now copy/paste the entire content of the codebox below into the Notepad window:
File::
c:\windows\urihito.dat
c:\windows\unedoto.com
c:\windows\okokejo.dat
c:\windows\zapi.dat
c:\windows\win32k.sys
C:\vklebc.exe
C:\hrngen.exe
C:\afuqr.exe
C:\qtpjjuur.exe
C:\avjelge.exe
C:\aefxixl.exe
C:\qgferewy.exe
c:\windows\ylidazuse.dat
c:\windows\yhiqyxe.dat
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply: Combofix.txt \
Also see if you can run the Winkdiag tool I had advised earlier and post that log.
FlaCajun
2009-10-05, 21:59
Here is the latest log.
Going to run Win32kdiag.exe next.
ComboFix 09-10-04.01 - Raymond 10/05/2009 14:49.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.657 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Raymond\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FILE ::
"C:\aefxixl.exe"
"C:\afuqr.exe"
"C:\avjelge.exe"
"C:\hrngen.exe"
"C:\qgferewy.exe"
"C:\qtpjjuur.exe"
"C:\vklebc.exe"
"c:\windows\okokejo.dat"
"c:\windows\unedoto.com"
"c:\windows\urihito.dat"
"c:\windows\win32k.sys"
"c:\windows\yhiqyxe.dat"
"c:\windows\ylidazuse.dat"
"c:\windows\zapi.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\aefxixl.exe
C:\afuqr.exe
C:\avjelge.exe
C:\hrngen.exe
C:\qgferewy.exe
C:\qtpjjuur.exe
C:\vklebc.exe
c:\windows\okokejo.dat
c:\windows\unedoto.com
c:\windows\urihito.dat
c:\windows\win32k.sys
c:\windows\yhiqyxe.dat
c:\windows\ylidazuse.dat
c:\windows\zapi.dat
.
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.
2009-10-05 17:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-05 17:42 . 2009-10-05 17:42 -------- d--h--w- c:\windows\PIF
2009-10-05 00:13 . 2009-10-05 00:13 -------- d-----w- c:\program files\Temp
2009-10-05 00:12 . 2009-10-05 00:12 -------- d-----w- c:\program files\Ttemp
2009-10-03 19:56 . 2009-10-05 00:11 -------- d-----w- c:\program files\Trend Micro
2009-10-03 19:49 . 2009-10-03 19:49 -------- d-----w- c:\program files\ERUNT
2009-10-01 20:16 . 2009-10-01 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 18:28 . 2009-10-05 17:58 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-01 17:49 . 2009-10-01 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-01 17:48 . 2009-10-01 17:48 -------- d-----w- c:\program files\Common Files\iS3
2009-10-01 17:48 . 2009-10-01 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 17:43 . 2008-10-24 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 17:28 . 2008-10-24 21:45 -------- d-----w- c:\program files\McAfee
2009-10-05 16:04 . 2008-10-25 02:31 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-05 13:17 . 2009-10-05 13:17 15281 ----a-w- c:\program files\Common Files\exagim._sy
2009-10-01 20:37 . 2008-10-24 14:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 04:12 . 2009-10-01 04:12 10079 ----a-w- c:\documents and settings\Raymond\Application Data\uwudorexiq.dat
2009-09-29 20:05 . 2009-02-11 13:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\U3
2009-09-28 13:37 . 2008-10-24 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-16 16:32 . 2008-10-24 21:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 17:44 . 2008-10-24 21:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2008-10-24 21:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2008-10-24 21:45 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2008-10-24 21:45 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2008-10-24 21:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]
c:\documents and settings\Raymond\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-10-29 253952]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 14:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-05 14:55
ComboFix-quarantined-files.txt 2009-10-05 18:55
ComboFix2.txt 2009-10-05 18:03
Pre-Run: 69,555,388,416 bytes free
Post-Run: 69,546,696,704 bytes free
180 --- E O F --- 2008-10-23 20:20
FlaCajun
2009-10-05, 22:04
Unable to run 'win32kdiag.exe'.
DOS window opens up, then an error message.
'16 bit MS-DOS Subsystem'
C:\DOCUME~1\Raymond\Desktop\WIN32K~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:0111 OP:63 72 69 70 74 Choose 'Close' to terminate application.
IndiGenus
2009-10-06, 01:28
STEP 1:
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
STEP 2:
We Need to check for Rootkits with RootRepeal
Download RootRepeal from the following location and save it to your desktop.
Zip Mirrors (Recommended)
Primary Mirror (http://rootrepeal.googlepages.com/RootRepeal.zip)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.zip)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.zip)
Rar Mirrors - Only if you know what a RAR is and can extract it.
Primary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://ad13.geekstogo.com/RootRepeal.rar)
Secondary Mirror (http://rootrepeal.psikotick.com/RootRepeal.rar)
Extract RootRepeal.exe from the archive.
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check all seven boxes: http://billy-oneal.com/forums/rootRepeal/checkBoxes2.png
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
FlaCajun
2009-10-06, 01:41
Here is the DDS.txt file
DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 18:39:48.34 on Mon 10/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.582 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Raymond\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
S2 0143791254781135mcinstcleanup;McAfee Application Installer Cleanup (0143791254781135);c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
=============== Created Last 30 ================
2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss
2009-10-01 00:12 17,891 a------- c:\windows\xysewo._sy
2009-10-01 00:12 15,594 a------- c:\windows\hufy.lib
2009-10-01 00:12 10,079 a------- c:\docume~1\raymond\applic~1\uwudorexiq.dat
2009-10-01 00:05 17,340 a------- c:\windows\system32\anawan._sy
==================== Find3M ====================
2009-10-05 09:17 15,281 a------- c:\program files\common files\exagim._sy
============= FINISH: 18:39:59.35 ===============
FlaCajun
2009-10-06, 01:43
Here is the Attach.txt file
Proceeding with Step 2 of instructions.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/5/2009 1:59:15 PM (5 hours ago)
Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 147 GiB total, 64.785 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP281: 10/5/2009 1:58:22 PM - System Checkpoint
==== Installed Programs ======================
AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
LightScribe 1.4.74.1
Logitech iTouch Software
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
9/28/2009 9:18:48 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
9/28/2009 8:50:34 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
9/28/2009 8:50:33 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
==== End Of File ===========================
FlaCajun
2009-10-06, 02:00
Here is the text file from Step 2.
Also, I have 2 other hard drives that are data files only.
Let me know if those should be scanned with these tools.
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/05 18:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: catchme.sys
Image Path: C:\Combo-Fix\catchme.sys
Address: 0xF787C000 Size: 31744 File Visible: No Signed: -
Status: -
Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF763C000 Size: 60416 File Visible: No Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FDC000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ADE000 Size: 8192 File Visible: No Signed: -
Status: -
Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7B60000 Size: 6464 File Visible: No Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7013000 Size: 49152 File Visible: No Signed: -
Status: -
Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!
==EOF==
IndiGenus
2009-10-06, 02:49
I think we're getting there. :D:
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe).
Save it to your desktop.
Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:processes
explorer.exe
:files
c:\windows\xysewo._sy
c:\windows\hufy.lib
c:\docume~1\raymond\applic~1\uwudorexiq.dat
c:\windows\system32\anawan._sy
c:\program files\common files\exagim._sy
:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your version of Java is outdated.
Please download JavaRa (http://raproducts.org/click/click.php?id=1) to your desktop and unzip it to its own folder
Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Use ATF Cleaner to remove temp files,
cookies, cache, ect...
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a DDS log.
FlaCajun
2009-10-06, 03:16
During the running of OTM.exe
The system required a re-boot,
which is what is happening right now.
Unable to select and copy the info in the results window.
FlaCajun
2009-10-06, 03:26
On re-boot, prompted for OTM.exe to run, clicked yes. File output below.
Spybot has detected a registry change and asking for a response.
Category: System Startup user entry
Changes: Value deleted
Entry: mserv
Should the change be allowed?
Then do I proceed with the update of Java?
Also, McAfee is not enabled.
I see that the Process Explorer was killed.
Task Manager wouldn't open to stop the 'Antiviruspro 2010' process.
I downloaded ProcessExplorer.exe, which allowed the 'Antiviruspro2010' process to be stopped.
Was this a malware program?
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
c:\windows\xysewo._sy moved successfully.
c:\windows\hufy.lib moved successfully.
c:\docume~1\raymond\applic~1\uwudorexiq.dat moved successfully.
c:\windows\system32\anawan._sy moved successfully.
c:\program files\common files\exagim._sy moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 65536 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: Raymond
->Temp folder emptied: 143645 bytes
->Temporary Internet Files folder emptied: 3822006 bytes
->Java cache emptied: 13296141 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 316312 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 16.88 mb
OTM by OldTimer - Version 3.0.0.6 log created on 10052009_201227
Files moved on Reboot...
Registry entries deleted on Reboot...
IndiGenus
2009-10-06, 03:45
On re-boot, prompted for OTM.exe to run, clicked yes. File output below.
Spybot has detected a registry change and asking for a response.
Category: System Startup user entry
Changes: Value deleted
Entry: mserv
Should the change be allowed?
Yes, that change that prompted Spybot should be allowed. It was actually made by combofix and was a orphaned malware entry.
Then do I proceed with the update of Java?
Yes, move on.
Also, McAfee is not enabled.
Can you enable it?
I see that the Process Explorer was killed.
Task Manager wouldn't open to stop the 'Antiviruspro 2010' process.
I downloaded ProcessExplorer.exe, which allowed the 'Antiviruspro2010' process to be stopped.
Was this a malware program?
When you say it was killed, what do you mean? No, it's not Malware. It's a great Sysinternals program that's like task manager on steroids.
FlaCajun
2009-10-06, 04:24
Java has been installed. Although the number of choices doesn't make it easy.
Allowed all the registry changes.
However, at the end of it all, McAfee stopped what it suspected was a trojan.
Moving on to ATF Cleaner
IndiGenus
2009-10-06, 04:26
McAfee stopped what it suspected was a trojan
Any detail on what it was? File name? Location? Ect...?
FlaCajun
2009-10-06, 04:32
Reviewing the log it is 'Artemis!C8CB0F81183 (Trojan)'.
This is listed twice.
FlaCajun
2009-10-06, 04:33
No location. But the file was repaired and removed.
IndiGenus
2009-10-06, 04:33
Sounds like McAfee got it? If so great.
EDIT: Could have been in combofix quarantine, which we'll clean out at the end.
FlaCajun
2009-10-06, 04:59
ATF Cleaner was successfully run.
Malwarebytes was successfully run. Log below.
McAfee warned of a registry change by Malwarebytes.
It was allowed.
3 detections by Malwarebytes were removed.
The computer is going to reboot.
Malwarebytes' Anti-Malware 1.41
Database version: 2911
Windows 5.1.2600 Service Pack 3
10/5/2009 9:51:57 PM
mbam-log-2009-10-05 (21-51-57).txt
Scan type: Quick Scan
Objects scanned: 99555
Time elapsed: 5 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Raymond\Favorites\Online Pharmacy News diazepam buy ambien, xanax, valium online.url (Rogue.Link) -> Quarantined and deleted successfully.
IndiGenus
2009-10-06, 05:00
Great, can you run and post a fresh DDS log.
FlaCajun
2009-10-06, 05:07
Attach.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/5/2009 9:59:47 PM (1 hours ago)
Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 147 GiB total, 64.68 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP281: 10/5/2009 1:58:22 PM - System Checkpoint
RP282: 10/5/2009 9:14:36 PM - Removed Java(TM) 6 Update 10
RP283: 10/5/2009 9:14:54 PM - Installed Java(TM) 6 Update 16
==== Installed Programs ======================
AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
LightScribe 1.4.74.1
Logitech iTouch Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
9/28/2009 9:56:48 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 8:12:28 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 2 time(s).
10/5/2009 8:12:28 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
==== End Of File ===========================
FlaCajun
2009-10-06, 05:07
DDS.txt
DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 22:03:46.92 on Mon 10/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.599 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxpers.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Raymond\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S2 0143791254781135mcinstcleanup;McAfee Application Installer Cleanup (0143791254781135);c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
=============== Created Last 30 ================
2009-10-05 21:41 <DIR> --d----- c:\docume~1\raymond\applic~1\Malwarebytes
2009-10-05 21:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 21:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-05 20:12 <DIR> --d----- C:\_OTM
2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss
==================== Find3M ====================
2009-10-05 21:14 411,368 a------- c:\windows\system32\deploytk.dll
============= FINISH: 22:04:14.31 ===============
IndiGenus
2009-10-06, 05:11
One more scan...hopefully.
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) or from here
http://www.kaspersky.com/virusscanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition
files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
* Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
* Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
* Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.
Animated tutorial
http://i275.photobucket.com/albums/jj285/B...ng/KAS/KAS9.gif (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)
(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419
In your next reply post:
Kaspersky log
New DDS log taken after the above scan has run
FlaCajun
2009-10-06, 13:52
Still scanning. Progress 71%
Threats found: 12
Infected Objects found: 28
Suspicious objects found: 17
IndiGenus
2009-10-06, 15:10
Okay, post log when done. As with McAfee, I would bet most of that is already quarantined.
FlaCajun
2009-10-06, 22:31
Still scanning.
IndiGenus
2009-10-06, 22:32
Wow, how long ago did you start the scan? How big is the drive?
FlaCajun
2009-10-07, 03:36
Scan is 81% done.
There are 3 drives, with one of them being a Terabyte.
It should be done tomorrow morning.
IndiGenus
2009-10-07, 03:40
one of them being a Terabyte
Wow, no wonder it's taking so long.
FlaCajun
2009-10-07, 05:04
It is done.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, October 6, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, October 06, 2009 03:29:27
Records in database: 2919830
--------------------------------------------------------------------------------
Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics:
Objects scanned: 1225754
Threats found: 12
Infected objects found: 28
Suspicious objects found: 17
Scan duration: 23:20:42
File name / Threat / Threats count
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Invest.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\lizkavd.exe.vir Infected: Packed.Win32.Krap.ad 1
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\seres.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fsd 1
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\svcst.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.fsd 1
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir Infected: Packed.Win32.Krap.ad 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyebwupqoy.sys.vir Infected: Packed.Win32.TDSS.z 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir Infected: Trojan.Win32.Sirefef.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Infected: Backdoor.Win32.Bredolab.acl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan-Dropper.Win32.Mudrop.dxg 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-05_14.49.19.zip Infected: Packed.Win32.Krap.ad 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-05_14.49.19.zip Infected: Trojan.Win32.Vilsel.hga 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-05_14.49.19.zip Infected: Trojan.Win32.Sasfis.nzr 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-05_14.49.19.zip Infected: Trojan.Win32.Antavmu.exb 1
C:\Qoobox\Quarantine\[4]-Submit_2009-10-05_14.49.19.zip Infected: Trojan.Win32.Vilsel.hhr 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023918.exe Infected: Packed.Win32.Krap.ad 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023923.exe Infected: Trojan-Downloader.Win32.FraudLoad.fsd 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023924.exe Infected: Trojan-Downloader.Win32.FraudLoad.fsd 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023936.exe Infected: Packed.Win32.Krap.ad 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023955.exe Infected: Trojan-Dropper.Win32.Mudrop.dxg 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023959.sys Infected: Packed.Win32.TDSS.z 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023968.exe Infected: Backdoor.Win32.Bredolab.acl 1
C:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\RP281\A0023974.dll Infected: Trojan.Win32.Sirefef.a 1
E:\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
F:\Document and Settings\Raymond\Local Settings\Temporary Internet Files\Content.IE5\BT0SI9MY\kdqrrj[1].htm Infected: Trojan.Win32.Sasfis.nzr 1
F:\Document and Settings\Raymond\Local Settings\Temporary Internet Files\Content.IE5\K0V11MDU\inst32A[1].com Infected: Trojan-Dropper.Win32.Mudrop.dxg 1
F:\Document and Settings\Raymond\Local Settings\Temporary Internet Files\Content.IE5\K0V11MDU\pziwjxb[1].htm Infected: Trojan.Win32.Vilsel.hhr 1
F:\Document and Settings\Raymond\Local Settings\Temporary Internet Files\Content.IE5\NCYZ3AV9\folzm[1].htm Infected: Trojan.Win32.Vilsel.hga 1
F:\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
F:\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
Selected area has been scanned.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/5/2009 9:59:47 PM (25 hours ago)
Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 147 GiB total, 64.6 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP281: 10/5/2009 1:58:22 PM - System Checkpoint
RP282: 10/5/2009 9:14:36 PM - Removed Java(TM) 6 Update 10
RP283: 10/5/2009 9:14:54 PM - Installed Java(TM) 6 Update 16
==== Installed Programs ======================
AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
LightScribe 1.4.74.1
Logitech iTouch Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:47 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
9/29/2009 7:25:01 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 8:12:28 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 2 time(s).
10/5/2009 8:12:28 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
==== End Of File ===========================
FlaCajun
2009-10-07, 05:05
DDS.txt
DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 22:02:26.39 on Tue 10/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.649 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxpers.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raymond\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
S2 0037731254797956mcinstcleanup;McAfee Application Installer Cleanup (0037731254797956);c:\windows\temp\003773~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003773~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
=============== Created Last 30 ================
2009-10-05 21:41 <DIR> --d----- c:\docume~1\raymond\applic~1\Malwarebytes
2009-10-05 21:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 21:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-05 20:12 <DIR> --d----- C:\_OTM
2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss
==================== Find3M ====================
2009-10-05 21:14 411,368 a------- c:\windows\system32\deploytk.dll
============= FINISH: 22:02:48.46 ===============
IndiGenus
2009-10-07, 05:47
Most everything found is either in combofix quarantine, or system restore, and we'll clean those out in a minute.
You also have some infected emails stashed away in Outlook. You will need to manually go in and remove those emails. We can not simply delete the dbx files without potentially wiping out all your email. Looks like some fake Paypal emails.
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\Invest.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
C:\Documents and Settings\Raymond\Local Settings\Application Data\Identities\{7772A531-6B12-45EF-9B43-7D99B0E67F95}\Microsoft\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
E:\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
E:\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
F:\Outlook Express\PayPal.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 5
F:\Outlook Express\PayPal.dbx Infected: Trojan-Spy.HTML.Paylap.bj 1
Time for some housekeeping
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
The above procedure will:
Delete the following: ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
Let me know how it's running now also.
IndiGenus
2009-10-07, 05:50
Sorry,
Forgot about some of the other clean up.
Make sure you have an Internet Connection.
Double-click OTM.exe to run it.
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTM to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
You can also remove any of the other tools that we used if OTM doesn't get them.
FlaCajun
2009-10-07, 15:54
'ComboFix' can not be found.
Tried running 'Combo-Fix /u', but same problem.
I am going to look for it on the C drive.
FlaCajun
2009-10-07, 15:59
Just finished a search for 'Combo*.*', no executables found. Just text files.
Also, McAfee and Spybot are idle.
I have an internet connect, but haven't gone to any websites, except Spybot Forum and those instructed.
Not have any emails been checked.
It is persumed that the clean with 'OTM.exe' occurs after ComboFix /u is run.
Thanks,
Raymond
IndiGenus
2009-10-07, 19:58
Yes, I think we can presume clean at this point.
I had forgot we renamed combofix. It was run from the desktop.
c:\documents and settings\Raymond\Desktop\Combo-Fix.exe
So it's not there any more?
Also, McAfee and Spybot are idle.
When you say idle do you mean they are not running protection? Are you able to turn them on?
It appears from your last DDS log that Spybot's TeaTimer was running. And at least part of McAfee is running. Sometimes programs will need to be re-installed after the clean due to damage done by the Malware.
IndiGenus
2009-10-07, 20:01
Also, if combofix cannot be uninstalled then you should manually reset System Restore to clean out those infected restore points.
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which may be infected anyway).
Click Start>Help and Support>Undo changes to your computer with System Restore
Select Create A Restore Point then click Next. Give it a name it and then click Create
Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.
And the combofix quarantined files folder should be removed if still present. Delete Qoobox at the root of the C drive.
C:\Qoobox
FlaCajun
2009-10-07, 20:54
I don't know where combo-fix.exe is.
I don't recall deleting it from the desktop.
Would any of the programs that were run delete this file?
Some of the McAfee systems seem to be running.
I turned as many McAfee items off as I could for the Kaspersky scan.
I presume that if they could be turned off, they could be turned on.
McAfee has been turned on successfully.
Just got an 'Update Error' from McAfee.
It is asking for a reinstall of these programs.
Tried to do a manual update to McAfee, but same error.
McAfee will need to be reinstalled.
In checking the 'Task Manager', I didn't see 'Tea Timer' running. Could have missed it.
Do you want me to download comfix.exe and run it, then run dds.scr?
For the System Restore, do you want today's date to be used,
since all the other points maybe worthless?
IndiGenus
2009-10-07, 21:10
Do you want me to download comfix.exe and run it, then run dds.scr?No, I think you're okay.
For the System Restore, do you want today's date to be used,
since all the other points maybe worthless? You can use whatever name for the new point you like. Todays date is fine. We just want to make sure all the old ones are cleared.
Let me know how you make out with McAfee.
And you're right, don't see TeaTimer actually running in processes on last DDS log. It is called out to be from the registry.
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
You may want to check your settings in SpyBot. Or maybe that will need to be re-installed also.
FlaCajun
2009-10-07, 23:58
Well I don't know if trouble has found me. I am typing from anouther computer.
When I was typing on the perviously infected computer attempting to type about the balloon window with a strange message, my wireless keyboard and mouse froze.
After resetting the wireless, the balloon disappeared.
The balloon said something about a file that I am not familiar with on 'E:\'.
Note: E drive started to go bad about 2 weeks ago.
When the balloon disappeared the keyboard and mouse worked.
I resumed typing and the lock up occurred again, which is why I am typing from another computer on the network.
The Task Manager on the task bar shows +50& CPU usage.
I discounted the previously infected computer from the network and hence the internet.
Going to press the reset on the wireless.
The keyboard and mouse are back.
The CPU usage is spikes to 51% then back to 0%.
The open windows are: IE7(spybot.com), Task Manager, McAfee security, Windows explorer.
CPU usage is locked at 50% and keyboard and mouse are locked up again.
I don't know what is going on. Never seen anything like this.
The only thing accessed in the internet world is the spybot. com.
No emails have been checked nor web sites visited.
Only solitaire has been run.
Please advise.
FlaCajun
2009-10-08, 00:05
As CPU usage changes, the system idle process remains the same.
Attempting to locate which process is using the CPU, no of the other CPU number changes.
When CPU usage is 50%, the mouse and keyboard lock up. When drops back to 0% or 1%, the keyboard and mouse become functional again.
The CPU usage icon in the tray, remains at +50% even though the CPU usage on its bottom status bar changes.
McAfee appears to be running in the background, but can't update.
Don't thing sypbot is running in the background.
The 'arrow' in the tray is not working.
FlaCajun
2009-10-08, 00:28
An error message came up. It was the same as in the balloon from the tray.
This time the message is in a window box on the middle of the desk top.
'Windows was unable to save all the data for the file e:\$Mft. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.'
Should I close the box.
Is this computer infected again?
FlaCajun
2009-10-08, 03:03
Also, the clock hasn't moved lately from 5:32PM.
Not sure if I should reboot, and if so, should it be into Safe Mode.
IndiGenus
2009-10-08, 04:42
Have you been able to identify which process is taking the CPU cycles? That would help.
I would try rebooting. Do you have a regular USB or PS2 mouse and keyboard combo you can try. I know sometimes those wireless set ups get flaky.
Did you re-install McAfee and Spybot?
Run and post another DDS log when you get a chance.
FlaCajun
2009-10-08, 05:12
No. The Task Manager wasn't working properly.
Thought about using Process Explorer, but chose not to.
McAfee and Sypot haven't been re-installed.
When do you want me to do that?
I will reboot the computer and run DDS and post the results.
Had to pull the power cord to reboot.
IndiGenus
2009-10-08, 05:17
You can use Process Explorer in place of task manager. That should show it.
I would re-install both of those programs asap.
I don't think the infection is still present or active, but it appears to have done quite a bit of damage here.
FlaCajun
2009-10-08, 05:18
ATTACH.txt
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-09-29.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/7/2009 10:12:32 PM (0 hours ago)
Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 147 GiB total, 64.545 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP281: 10/5/2009 1:58:22 PM - System Checkpoint
RP282: 10/5/2009 9:14:36 PM - Removed Java(TM) 6 Update 10
RP283: 10/5/2009 9:14:54 PM - Installed Java(TM) 6 Update 16
RP284: 10/6/2009 10:31:13 PM - System Checkpoint
==== Installed Programs ======================
AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 16
LightScribe 1.4.74.1
Logitech iTouch Software
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
10/7/2009 3:09:52 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\D.
10/7/2009 3:09:52 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
10/7/2009 3:09:52 PM, error: atapi [15] - The device, \Device\Ide\IdePort2, is not ready for access yet.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 9:17:30 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
10/5/2009 9:17:30 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
10/5/2009 8:12:28 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 2 time(s).
10/5/2009 8:12:28 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 8:12:27 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.
10/4/2009 10:31:58 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
==== End Of File ===========================
FlaCajun
2009-10-08, 05:19
DDS.txt
DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 22:14:50.96 on Wed 10/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.594 [GMT -4:00]
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Raymond\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
============= SERVICES / DRIVERS ===============
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
=============== Created Last 30 ================
2009-10-05 21:41 <DIR> --d----- c:\docume~1\raymond\applic~1\Malwarebytes
2009-10-05 21:41 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 21:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 21:41 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-05 21:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 21:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-10-05 20:12 <DIR> --d----- C:\_OTM
2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss
==================== Find3M ====================
2009-10-05 21:14 411,368 a------- c:\windows\system32\deploytk.dll
============= FINISH: 22:15:18.87 ===============
FlaCajun
2009-10-08, 05:35
Trying to install Spybot, but unable.
Error
C:\ProgramFiles\Spybot-Searh&Destroy\SpybotSD.exe
The existing file is marked as read-only.
Click Retry to remove the read-only attribute and try again, Ignore to skip this file, or Abort to cancel installation.
Went to a command prompt but couldn't change to the Spybot directory.
No matter how I typed it 'cd Spybot - Search & Destroy', the path couldn't be found.
Going to install McAfee next. Need to go to Comcast web site to do this.
McAfee is requesting an updated installer.
FlaCajun
2009-10-08, 05:36
Clicking retry to remove the attribute doesn't work.
FlaCajun
2009-10-08, 05:45
I uninstalled Sypbot and rebooted.
Computer was disconnected from network and internet during reboot.
Using Windows Explorer to see if Spybot directory was deleted before a re-install. It wasn't. The only file in the folder was TeaTimer.exe.
Attempting to delete the folder and error message came up.
Cannot delete SpybotSD.exe:Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use.
Checking in TaskManager & Process Explorer, SpybotSD.exe is not running.
FlaCajun
2009-10-08, 06:08
The file SpybotSD.exe is in the Spybot Directory.
Its attribute are archive, system & read-only.
Unable to change attribute.
Message says 'Not resetting system file', when I try to change the 'system' attribute. Similar for changing the other attributes.
Tried to force the deletion using the 'Del /F' switch, but to no avail.
Unable to change to the directory.
Also unable to delete directory.
Never seen anything like this before.
Is this attack against Spybot or against Spybot because it was the sypware installed on the computer?
FlaCajun
2009-10-08, 06:14
Is there a deletion program that will delete a file regardless of attributes?
IndiGenus
2009-10-08, 06:25
Is there a deletion program that will delete a file regardless of attributes?
Let me know what files/folders are there (including the full path) and I'll give you a script to run to remove them.
FlaCajun
2009-10-08, 06:42
File
c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Directory
c:\Program Files\Spybot - Search & Destroy\
Both directory and file attibutes couldn't be changed.
A message was only given for the exe file.
At the DOS prompt, I was unable to change directories to c:\Program Files\Spybot - Search & Destroy
I could change to 'C:\Program Files', but that was it.
FlaCajun
2009-10-08, 07:02
Holy Sh..
Just installed McAfee and during the subsequent install reboot,
I am at a start-up screen, getting a DOS like prompt,
'DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER.'
What is going on?
FlaCajun
2009-10-08, 07:24
Pulled the power cord & now it boots up.
McAfee is scanning the PC as part of its final install process.
FlaCajun
2009-10-08, 07:34
McAfee installed and doing a full scan.
This will take several hours probably.
IndiGenus
2009-10-08, 15:28
Holy Sh..
Just installed McAfee and during the subsequent install reboot,
I am at a start-up screen, getting a DOS like prompt,
'DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER.'
What is going on?
That's a potential hardware issue. After all is said and done here (if we ever get to that point), you should run some diagnostics on your drive(s). At the minimum run chkdsk on them.
IndiGenus
2009-10-08, 15:29
McAfee installed and doing a full scan.
This will take several hours probably.
Glad it came back. Let me know how you make out.
FlaCajun
2009-10-08, 18:51
Here is the scan log from McAfee.
If there are any typo errors, it is because I had to type it from the logs.
Unable to copy and paste.
Also, after the scan was run, I attempted to delete Spybot directory and SpybotSD.exe, but unable.
Could this file be a hidden virus/trojan?
McAfee has been run. Results below.
Files Detected - 21
Critical PC Files Detected - 6
c:\QOOBOX\QUARANTINE\[4]-SUBMIT_2009-10-05_14.49.19.ZIP
Type:Trojan
Name:Generic Drooper!bcv, Generic Drooper!bcv
HKEY_USERS\S-1-5-21-3455111477-815822944-398594984-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
SHOWSUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-21005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|HIDDEN
Type:Trojan
Name:Vundo.gen.bg
HIDDEN
Type:Trojan
Name:Vundo.gen.bg
HKEY_USERS\S-1-5-21-3455111477-815822944-3985949846-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced|SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
SUPERHIDDEN
Type:Trojan
Name:Vundo.gen.bg
c:\qoobox\quarantine\[4]-submit_2009-10-05_14.49.19.zip
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg, Generic.dx!fob, Generic.dx!fob, Generic.dx!fmr, Generic.dx!fmr, Artemis!D09014A416E8, Artemis!D09014A416E8
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\liskavd.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\seres.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\svcst.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe.vir
Type:Trojan
Name:FakeAlert-XPSecCenter
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir
Type:Trojan
Name:Generic.dx!fmz
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
Type:Trojan
Name:Artemis!723624C33998
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gasfkyebwupqoy.sys.vir
Type:Trojan
Name:Artemis!SF1E85A7B08A
C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir
Type:Trojan
Name:Artemis!C2010E473528
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023918.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023923.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023924.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023936.exe
Type:Trojan
Name:FakeAlert-XPSecCenter
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023968.exe
Type:Trojan
Name:Artemis!C2010E473528
c:\system volume information\_restore{6878E952-D0C8-4B42-9C1D-8CE4EE7F9B17}\A0023974.dll
Type:Trojan
Name:Generic.dx!fmz
f:\document and settings\raymond\local settings\temporary internet files\content.ie5\bt0si9my\cyijjxb[1].htm
Type:Trojan
Name:Vundo.gen.bg, Vundo.gen.bg, Vundo.gen.bg
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\BTt0SI9my\KDQRRJ[1].HTM
Type:Trojan
Name:Generic.dx!fmr, Generic.dx!fmr
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\INST32A[1].HTM
Type:Trojan
Name:Artemis!723624C33998, Artemis!723624C33998
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\K0V11MDU\PZIWJXB[1].HTM
Type:Trojan
Name:Artemis!2bbb8C20252C, Artemis!2bbb8C20252C
F:\DOCUMENT AND SETTINGS\RAYMOND\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\NCYZ3AV9\FOLZM[1].HTM
Type:Trojan
Name:Artemis!D584F8DFAF60, Artemis!D584F8DFAF60
IndiGenus
2009-10-08, 19:16
We've gone around in circles here a bit so I'm not sure what you've actually done or not....
qoobox folder (from combofix) is still there - I had advised to delete earlier - we'll move it with OTM
system restore points are still infected - did you clear out your old restore points?
Not sure if you still have OTM or not. If you do, ignore download part of instructions.
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe).
Save it to your desktop.
Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:processes
explorer.exe
:files
c:\qoobox
c:\Program Files\Spybot - Search & Destroy
:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
Was McAfee able to deal with any of those Vundo registry entries? Why don't you run it again after doing the above steps with OTM and hopefully wee will be closer.
Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
FlaCajun
2009-10-08, 19:35
No I didn't do the deletion nor the clearing of the system restore points.
When the computer 'bizarrely' got hung up, I wasn't sure what to do.
Do you want me to take care of the restore points before OTM?
IndiGenus
2009-10-08, 19:52
No I didn't do the deletion nor the clearing of the system restore points.
When the computer 'bizarrely' got hung up, I wasn't sure what to do.
Do you want me to take care of the restore points before OTM?
Okay no problem. With all the "happenings" going on here it's hard to keep track.
Doesn't matter if you do the restore points before or after OTM, either way.
FlaCajun
2009-10-08, 20:15
The restore point has been made and the others have been cleaned up.
Regarding the Vundo registries, McAfee has quarentined everything.
Also, the spybot directory with SpybotSD.exe in it is gone.
There is a Spybot.exe in c:\_OTM\MovedFiles\...\Program Files\Spybot ...\ directory.
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
c:\Qoobox\Quarantine\Registry_backups moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\wbem moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32\drivers moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
c:\Qoobox\Quarantine\C\WINDOWS moved successfully.
c:\Qoobox\Quarantine\C\Program Files\Common Files moved successfully.
c:\Qoobox\Quarantine\C\Program Files\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Program Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs\AntivirusPro_2010 moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu\Programs moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Start Menu moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Temporary Internet Files moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Local Settings moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Cookies moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer\Quick Launch moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft\Internet Explorer moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data\Microsoft moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\Raymond moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Documents moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings\All Users moved successfully.
c:\Qoobox\Quarantine\C\Documents and Settings moved successfully.
c:\Qoobox\Quarantine\C moved successfully.
c:\Qoobox\Quarantine moved successfully.
c:\Qoobox\BackEnv moved successfully.
c:\Qoobox moved successfully.
c:\Program Files\Spybot - Search & Destroy moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
User: Raymond
->Temp folder emptied: 89540458 bytes
->Temporary Internet Files folder emptied: 48595615 bytes
->Java cache emptied: 25621446 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 17891 bytes
RecycleBin emptied: 7101106 bytes
Total Files Cleaned = 163.09 mb
OTM by OldTimer - Version 3.0.0.6 log created on 10082009_125831
Files moved on Reboot...
Registry entries deleted on Reboot...
FlaCajun
2009-10-08, 21:20
Spybot has been successfully installed.
It is now starting a system scan after immunization.
IndiGenus
2009-10-08, 23:02
Great, sounds like some progress.
How's everything else running?
FlaCajun
2009-10-08, 23:27
The scan is complete. Mostly cookies found.
However, there were 2 files, Virtumonde.sdn & Win32TDSS.rtk.
Looks like one of them is one of the tools used during the cleanup.
These are all going to be eliminated.
Computer seems to be running well.
Part of the Spybot Log pertaining to the detected files.
--- Search result list ---
Virtumonde.sdn: [SBI $70056CE6] Data (File, nothing done)
C:\WINDOWS\system32\mababaza
Properties.size=1744
Properties.md5=74F78EC148A72FD7D55B94EFACEDFC7F
Properties.filedate=1246418982
Properties.filedatetext=2009-06-30 23:29:42
Win32.TDSS.rtk: [SBI $085B493C] Data (File, nothing done)
C:\Documents and Settings\All Users\Documents\ijujal._sy
Properties.size=17915
Properties.md5=9C4A58FF5F656A976BA2B3A6F9E998E0
Properties.filedate=1254402689
Properties.filedatetext=2009-10-01 09:11:29
MediaPlex: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
HitBox: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
Right Media: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
FastClick: Tracking cookie (Internet Explorer: Raymond) (Cookie, nothing done)
IndiGenus
2009-10-08, 23:34
Looks like Spybot didn't get those malware traces. You can have OTM take care of them. Just feed the following script into OTM and run it as you did before.
:processes
explorer.exe
:files
C:\WINDOWS\system32\mababaza
C:\Documents and Settings\All Users\Documents\ijujal._sy
:commands
[emptytemp]
[start explorer]
[reboot]
Post the log back so we can see if OTM took care of them.
FlaCajun
2009-10-08, 23:47
The items have been successfully removed.
Questions,
How did the computer get this virus with McAfee and Spybot?
The web sites I visit have never been a problem in the past.
Wednesday before last, I went to a late dinner,
left browser windows open from trusted sites that I have left open
many times before, without a problem ... except for one.
When I came back, the computer was infected with Antiviruspro2010.
And it appears, from my amatuer eyes, it may have been a combination of infections.
The one website in question is one I have been visiting for the past 3 to 4 weeks. It is an anti-government, anti-FDA, anti-AMA, anti-Big Pharma, anti-orthodox treatmentwebsite. The website visited, ... an alternative cancer website which espouses good, solid science with excellent successful results.
FlaCajun
2009-10-08, 23:52
Here are the results.
What happens with the c:\_OTM directory and files.
Is that to be deleted?
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
File/Folder C:\WINDOWS\system32\mababaza not found.
File/Folder C:\Documents and Settings\All Users\Documents\ijujal._sy not found.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: LocalService
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
User: Raymond
->Temp folder emptied: 554448 bytes
->Temporary Internet Files folder emptied: 17763479 bytes
->Java cache emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 500104 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 18.07 mb
OTM by OldTimer - Version 3.0.0.6 log created on 10082009_164828
Files moved on Reboot...
Registry entries deleted on Reboot...
IndiGenus
2009-10-09, 00:09
The items have been successfully removed.
Questions,
How did the computer get this virus with McAfee and Spybot?
The web sites I visit have never been a problem in the past.
Wednesday before last, I went to a late dinner,
left browser windows open from trusted sites that I have left open
many times before, without a problem ... except for one.
When I came back, the computer was infected with Antiviruspro2010.
And it appears, from my amatuer eyes, it may have been a combination of infections.
The one website in question is one I have been visiting for the past 3 to 4 weeks. It is an anti-government, anti-FDA, anti-AMA, anti-Big Pharma, anti-orthodox treatmentwebsite. The website visited, ... an alternative cancer website which espouses good, solid science with excellent successful results.
Ahhhh, the big question we seem to get in here quite a bit. Several factors at play here, let's see if I can clarify and hopefully provide some insight.
1. No security product(s) will catch everything. There are always new threats coming out. A constant battle between the Malware developers and the security companies will ensue.
2. You said multiple infections. All it takes is one. Once that has happened all kinds of new threats can wind up on the machine, downloaded and installed by the initial piece of Malware. The quicker this can be stopped or slowed, the better. But all it takes is a matter of seconds really. So one would hope our firewall would come to save the day and block the inflow. This may, or may not happen depending on the firewall settings, malware, ect........ you get the idea?
3. It wouldn't surprise me that such an ANTI anything site would be a place to plant exploits. Whether done by the owners of the site to help pay for it, or by the bad guys because the site itself was exploited. This can and does happen to perfectly legit. sites all the time. Big news sites like CNN. Google search results get hijacked. You name it, if it's big and popular, it's a target.
Now, you ask, how do I stop it in the future. It's a combination of knowledge (which hopefully we gave you a bit here) and a layered approach of good tools, OS and application updates, and general safe surfing (not using file sharing, visiting risky sites such as porn sites, ect....).
Here is my plan.
In addition to updating and using what you currently have you may want to consider the following:
Does your McAfee suite have a Firewall? If so, great. If not, let me know and I can advise some good free choices.
Install SpywareBlaster - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/index.php?showtutorial=49)
Install Winpatrol -
Use Winpatrol (http://www.winpatrol.com/) to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here (http://www.winpatrol.com/features.html)
Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.
Keep your applications up to date -
Use Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) to help stay on top of application updates that could leave your PC vulnerable to attack.
IndiGenus
2009-10-09, 00:11
Oh, forgot to add....
What happens with the c:\_OTM directory and files.
Is that to be deleted?
Run the tool, then click on the cleanup button. It will self destruct along with the files/folders it created. Any other tools we had you run that OTM doesn't clean up can be removed also.
FlaCajun
2009-10-09, 03:31
OTM was successfully run to cleanup.
Regarding your suggestions,
McAfee has a firewall and it is installed.
I will install the recommended files.
All though getting throught this has been a pain in the arse,
it has also been an interesting and learning experience,
especially watching a knowledgeable person perform their skills.
I would much rather do, watch and learn this cleanup,
than have someone blow away the drive, then perform all of the installs.
I would much rather have my money go to you, than
a reformatting computer store, which it will.
Donation to follow.
Thank you very much IndiGenus for your patience and all of your help.
You all are like guardian angels against the sizable forces of evil.
All the best,
FlaCajun
IndiGenus
2009-10-09, 03:43
Thanks for donating to the site. :thanks:
I'm glad we could help out and hopefully you can stay clean. But if not you know where to come....;)
I'll leave the thread open a couple days in case you have any issues or questions.
Regards,
Dave