Results 1 to 10 of 10

Thread: virtumonde.sdn/win32.delf.uc/win32.joleee.k

  1. #1
    Junior Member
    Join Date
    Jul 2009
    Posts
    9

    Default virtumonde.sdn/win32.delf.uc/win32.joleee.k

    I am at my wit's end, and about to pull out whatever hair God hasn't already taken away from me. I have reformatted & reinstalled Windows 3 times in the past 48 hours trying to rid myself of this virus, to no avail. Before I post the HijackThis log, let me explain:
    My computer began acting strangely about a week ago, with Data Execution Prevention stopping major processes from running. I couldn't even open Windows Explorer. It only worked in safe mode. I also noticed shortcuts on my desktop to porn websites. So I reformatted the C drive and reinstalled Windows. After installing a few essential programs (NIC drivers, sound card, etc.), I noticed the problem popped up again. So I reformatted and reinstalled again, and started the process anew, making sure this time the first things I installed were AVG and Spybot, along with Ghost to try and make sure if anything went wrong I had a clean system. That didn't work. I had tried to System Restore, but it wouldn't let me. I had noticed (in safe mode) that a restore point had been created after something called "Software Distribution System 3.0" had been installed, which I knew I hadn't installed. So I did some research on it, and found that it's a byproduct of Windows automatic updates that opens a hole in security. So I opted to reformat and reinstall Windows a third time, making sure to turn off automatic updates. I installed several programs and thought everything was ok when I went to bed last night. I woke up this morning, turned on the computer, and ran into the same DEP problem again. When I checked system restore in safe mode, however, SDS3 wasn't there. But the three aforementioned viruses were, according to Spybot. I ran S&D, and it told me it removed the problems. When I restarted, thought, DEP kicked in again. I don't want to have to reinstall Windows AGAIN, so I installed Hijack, and here's the log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:25:54 AM, on 7/4/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO}
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
    O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Anthony\reader_s.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\Anthony\reader_s.exe (User 'Default user')
    O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files\Common Files\Logishrd\eReg\Common\eReg.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

    --
    End of file - 3088 bytes

    If someone could help me before I throw the computer out the window and buy a Mac, that would be great.

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello njpantherfan

    Welcome to Safer Networking.

    Please read Before You Post
    That said, All advice given by anyone volunteering here, is taken at your own risk.
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

    Got bad news for you

    Your computer is infected with Virut this virus is non-cleanable, it infects all your .exe files on your system along with most things that are backed up. The only way around this I am afraid is to do a complete format, I mean wipe the hard drive down to bare metal, reinstall windows and do not re install any of your programs, I am afraid there all lost as is most of your backed up documents and such. You should reinstall the video, sound and lan from the manufacturers website that are clean, do not use any saved .exe installation files.

    More info for you


    You have a real nasty infection on your system. Virut/Virtob is a file infector virus with IRC bot functionality which infects all .exe and .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. When disinfection is attempted, the files become corrupted and the system may become irreparable.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".

    If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

    You can try the AVG Virut Remover. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights. If that does not work, there may be no recovery from this infection. The only thing you can do then is reformat and reinstall Windows.

    Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.

    More info
    http://www.f-secure.com/v-descs/virus_w32_virut.shtml



    This system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

    Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

    Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

    Recent variants also modify htm, html, asp and php files.

    Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

    See miekiemoes' blog for similar comments here:
    http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html


    If you need help reinstalling correctly let me know and I can link you to some windows support sites that can help you. You may have to download the files you need for the installation from a known clean computer and tranfer them via disk to the newly formated computer. Use a CD, not a thumb drive or that can become infected also.


    Sorry for being the bearer of bad news but this is one of the worst infections to come down the pike a awhile
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #3
    Junior Member
    Join Date
    Jul 2009
    Posts
    9

    Angry

    So does that mean that the infection has spread beyond my system drive and into my other, non-system drives, or does that explain why no matter how many times I've reformatted, the virus keeps coming back? Because I don't care about reformatting the C drive, but if I have to lose ALL my data, I'm going to be quite upset.

  4. #4
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    This infection infects all .exe files, which means if you used backups of the files to install your video, sound and lan when you reinstalled windows means that you most likely reinfected your system. I also see you have Norton Ghost and its on your system after you reinstalled windows, so you infected yourself that way also. As far as your other drives, don't know, if they where connected and when you got infected I would say any .exe files on them are infected as well. The thing to do as I posted earlier is to download any install files from the manufacturer of your system from a known clean computer, like the files to install windows components, as far as any other programs that you have installed , you may have to redownload them and reinstall, dont use any backup copies you saved. This infection is a real PITA, its one of the worse we have seen in awhile. If you do online banking or purchase from sites like amazon and use a credit card, they could be compromised as well.

    If you need help reinstalling your OS, let me know and I will link you to some windows support sites, you have to let them know that your infected with Virut and have to start from a clean slate.

    Macs, as they are becoming more popular, the dirtbags that write this garbage are starting to attack them also.

    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #5
    Junior Member
    Join Date
    Jul 2009
    Posts
    9

    Default

    OK, before reformatting I removed all .EXE files from my non-system drives. The biggest pain was my backup folder of all my programs I usually reinstall when I reload Windows; that was likely the biggest culprit, as I now realize that I never had problems until I began installing those programs on a clean system. At any rate, I wiped the C drive clean (yet again) and reinstalled Windows. I also disconnected the other non-system hard drives so that they don't even show up on the system. I want to know if this infection still exists, and if so limit it to the C drive before I reintroduce the other drives. In addition, I'm going to attach those drives to a known clean computer and run a full virus scan on them before reattaching them to my system.

    Also, I've noticed that Software Distribution System 3.0 keeps popping up. I read on other forums that it was problematic for them. When I removed the system update that created it, however, it wouldn't let me download any new Windows Updates until I reinstalled it. Is that a known problem, or is it merely a potential infect site that gets exploited by hackers?

    Sorry for being a PITA, but you have no idea the hours I've wasted the last few days working on this when I could have been productive. Right now everything seems kosher (knock on wood), so I'm hoping it stays that way and that we've managed to isolate the problem and remove it. Thanks so much for your assistance; otherwise I would have just kept reinstalling the same programs over & over again.

  6. #6
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello,

    Sorry for being a PITA, but you have no idea the hours I've wasted the last few days working on this when I could have been productive.
    <-- This is why we're here, no way no how are you a PITA.

    Software Distribution Service 3.0 is Windows Update. <--Don't really know a way around this , but I am sure there is. Why dont you post in a windows forum for help with that as we just do malware removal on this one.

    Windows Support <-- Our sister site


    Do you have access to an older computer that has a virus scanner on it that you can check those drives, I hate to see you possibly infect a good computer. To tell you the truth, I am not sure if those other drives are infected or not so be careful.

    Ken
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #7
    Junior Member
    Join Date
    Jul 2009
    Posts
    9

    Default

    OK, don't know if I should continue the current thread or move this to a new one, but I opted to stick with this one since it seems to stem from the same problem. I wiped the system as described, and ran a virus check on the other hard drives to see if they were also infected. Something came up while I ran Norton 360: Infostealer.Gampass (I think that's how it was spelled). After fixing it as per Norton's instructions, it came back on reboot. I don't know how it ended up on there after the reformat, but if you could assist me with this, or notify me if there's more I need to do than just tell you about it, I'd appreciate it Ken. Regardless of what you say I know I'm a PITA lol.

  8. #8
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    What type drives are we talking about, are they second hard drives or external hard drives? If you have them hooked up to the other system and have internet access than run these programs on them


    Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean







    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected .
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
    • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
    Post a HJT log for these drives also
    Last edited by ken545; 2009-07-06 at 11:58.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #9
    Junior Member
    Join Date
    Jul 2009
    Posts
    9

    Default

    After doing everything you said, the scans are coming up clean. I ran Malware, HJT, and Norton 360, and at this point everything looks clean. I'll post the logs just to make sure:

    HJT:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:56 AM, on 7/6/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Logitech\SetPoint\LBTWiz.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1246818593671
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 7509 bytes


    This was the first Malware log I ran in safe mode early this morning:
    Malwarebytes' Anti-Malware 1.38
    Database version: 2297
    Windows 5.1.2600 Service Pack 3

    7/6/2009 9:22:34 AM
    mbam-log-2009-07-06 (09-22-34).txt

    Scan type: Full Scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 207580
    Time elapsed: 20 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    This was the second one I ran in regular mode after rebooting:
    Malwarebytes' Anti-Malware 1.38
    Database version: 2297
    Windows 5.1.2600 Service Pack 3

    7/6/2009 10:04:06 AM
    mbam-log-2009-07-06 (10-04-06).txt

    Scan type: Full Scan (C:\|D:\|E:\|F:\|)
    Objects scanned: 200316
    Time elapsed: 38 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    And Norton 360 shows nothing except a few tracking cookies (which it naturally deleted). I'm going to hold my breath until I get the OK from you, but it appears I might be... I don't wanna jinx it lol.

  10. #10
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Your log looks fine

    You never said how your other drives came out, where they ok?? What where they, external or second hard drives?

    I will leave this thread open for you for about a week, wait a few days and run this program, it wont fix anything but will give a nice system report.

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


    I'll be holding my breath with you
    Last edited by tashi; 2009-07-15 at 17:36. Reason: timestamp archive
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •