Defense Center Malware

[janicelg]

McAfee seems not to have any information about --or the ability to remove-- this malware and, as a long time user of Spybot, I decided to check her for help. Seem to be infected with something called, Defense Center. McAfee keeps posting that it is blocking and removing many trojans, and I get lots of popups asking me to get rid of my MSC software. Desktop now has all kinds of shortcuts to porn and executable spam files. Please help. (BTW, I did do everything you recommended in your "Before You Post" entry.)

Thanks so much, Janice

DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 11:17:43.99 on Wed 07/14/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2491 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\wscsvc32.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LULnchr.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE
C:\Documents and Settings\Janice Gilford\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080609
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [tcjcoixx] c:\documents and settings\janice gilford\local settings\application data\haepapuvl\talqogetssd.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [OEM05Mon.exe] "c:\windows\OEM05Mon.exe"
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [tcjcoixx] c:\documents and settings\janice gilford\local settings\application data\haepapuvl\talqogetssd.exe
mRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
dRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes\psnotes.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - ?p=ZNxdm824YYUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sun.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226967206175
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.mc.vanderbilt.edu/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janice~1\applic~1\mozilla\firefox\profiles\266phpu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-9 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-9 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-9 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-9 35272]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:\windows\system32\drivers\OEM05Afx.sys [2008-6-9 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\drivers\OEM05Vfx.sys [2008-6-9 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\drivers\OEM05Vid.sys [2008-6-9 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-6-9 31616]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-9 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-9 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2010-07-14 15:37:13 0 d-----w- c:\program files\Defense Center
2010-07-14 15:26:21 289024 ----a-w- c:\windows\exe.exe
2010-07-02 16:34:34 0 d-----w- c:\windows\Performance
2010-07-02 16:34:06 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-06-29 21:25:09 69632 ----a-w- c:\windows\Alcmtr.exe
2010-06-23 15:16:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 15:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 14:30:23 256 ----a-w- c:\documents and settings\janice gilford\pool.bin
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2008-06-22 13:18:32 76 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 11:19:11.15 ===============

 

[vict0r]

Hello and welcome to the the forum.

Please read the following information carefully.

IMPORTANT: Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

To make cleaning this machine easier:

• Continue to respond to this thread until I I tell you that the logs are clean!
• Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
• Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
• Please follow all instructions in the order posted.
• If you have any questions or do not understand instructions, please ask before continuing.
• Please reply to this thread. Do not start a new topic.

Please post the second DDS log in your next reply just as you did with the first log in your previous post.

 

[janicelg]

Thank you vict0r

vict0r,
I've read the instructions in your reply to my post. Will follow them precisely. Note that since I posted, I can only get into Windows via Safe Mode with Networking. If I boot up normally, I get as far as my screen background, but no programs / icons load.

Looking forward to your help with this mess.
Thanks, Janice

 

[vict0r]

Hi

I don't recommend to use the computer in safe mode with networking. Do you have access to another computer and a usb-stick/drive or empty cd's (cd burner required in the alternate computer)?


Attempt to force a desktop in normal mode:

You may want to print these instructions:

Please reboot your computer into normal mode. If you do not get a desktop, try this:
Press (Ctrl + Shift + Esc) or (Ctrl+Alt+Delete) (simultaneously!) to open Task Manager.
Click on File...then select, press New Task (Run...).
In the "Create New Task" entry box...type in explorer.exe and press Enter. Your desktop should now appear. Please continue with the instructions below. Try to start explorer.exe 2-3 times if it does not start:

Note: If you are unable to get a desktop in normal mode and you do not have access of another computer and storage, then follow the instructions below in safe mode with networking.


Download/run Rkill:

Please download Rkill from one of the following links and save it to your Desktop:

One, Two,Three Four Five Six

• Double click on Rkill.
• A command window will open then disappear upon completion, this is normal.
• A notepad window will open, please post the contents in your next reply
• This log can also be found at C:\rkill.log
• Please leave Rkill on the Desktop until otherwise advised.

Note: If your security software warns about Rkill, please ignore and allow the download to continue.


Malwarebytes' Anti-Malware:

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to both:
  Update Malwarebytes' Anti-Malware
  Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick Scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Check all items and click Remove Selected.
  Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
• When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

DDS:

There should still be a copy of DDS in your desktop, if not download DDS by sUBs from one of the links below and save it to your desktop:

Link1
Link2 (right click -> Save link as...)

• Double-Click on the DDS icon to run the program. A command window will appear. This is normal.
• Shortly after two logs will appear:
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs into your next reply

Please post (one log per post):

• the rkill log
• the MBAM log
• the DDS logs
• Please describe any problems occured when following these instructions.

 

[janicelg]

rkill log July 18 2010

vict0r,
have completed all of your instructions. Thank you so much.

Here's the first log you requested (rkill):

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Janice Gilford on 07/18/2010 at 10:25:10.


Processes terminated by Rkill or while it was running:


C:\DOCUME~1\JANICE~1\LOCALS~1\Temp\MSDERUN.EXE


Rkill completed on 07/18/2010 at 10:25:17.

 

[janicelg]

MBAM log July 18 2010

vict0r,
have completed all of your instructions. Thank you so much.

Here's the second log you requested (MBAM):

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4324

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

7/18/2010 10:38:22 AM
mbam-log-2010-07-18 (10-38-22).txt

Scan type: Quick scan
Objects scanned: 142118
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 33
Registry Values Infected: 14
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 77

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9d74a457-66e0-4999-a9e7-d54242219575} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9d74a457-66e0-4999-a9e7-d54242219575} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f678d6c3-7f34-4eb4-9936-8ac133ec2e66} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f678d6c3-7f34-4eb4-9936-8ac133ec2e66} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmasiuteisevx (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defense center (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mchk (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trvplppv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\trvplppv (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Virus.Ertfor) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uiha98uiohf873yuiadnhgjesgregas (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsehf98u34i9tjioaugy987iuegdsg (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\13 (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcjcoixx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcjcoixx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bxnxwnyy (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Defense Center\defcnt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xzpwp.exe (Trojan.Adware) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\tbjimeljn\yfjybqqtssd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mb3dw5.dll (Virus.Ertfor) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tq1x8ht.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win16.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msrss.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kzpwp.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gzpwp.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qg6d21cxp.dll (Virus.Ertfor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\1F2.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\asd16.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\asd1FE.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\mschrt20ex.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\MSDERUN.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\PRAGMA10f3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\qoykaPJZWk.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\TliaOayuQS.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\120220724.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avp.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\avp32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dbiqws.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\h92kaxr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplarer.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\iexplorer.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mdm.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\mrxru.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\qgkmdut.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\taskmgr.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tipby85sf.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\uxeut.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe (Trojan.Ransom) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temporary Internet Files\Content.IE5\SMUEOLXA\263-direct[1].ex (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\exe.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\about.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\activate.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\buy.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\def.db (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\defext.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\defhook.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\help.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\scan.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\settings.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\splash.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\Uninstall.exe (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\update.ico (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Program Files\Defense Center\virus.mp3 (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\About.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Activate.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Buy.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Defense Center Support.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Defense Center.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Scan.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Settings.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Start Menu\Programs\Defense Center\Update.lnk (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\apUninstall.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\$NtUninstallMTF1011$\zrpt.xml (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAsiuteisevx\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\Defense Center Support.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\spam001.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\spam003.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\troj000.exe (Malware.Trave) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Janice Gilford\Local Settings\Application Data\Windows Server\pywfls.dll (Trojan.Agent) -> Quarantined and deleted successfully.

 

[janicelg]

DDS Logs July 18 2010

vict0r,
The DDS logs are below (one here; one attached as per the DDS pop-up instructions).

Computer never would open Windows.

Task Manager was disabled "by my administrator" (or some words very similar to that)

Ran rkill from USB drive after booting in Safe Mode (no networking).

Ran MBAM from USB drive, but wasn't able to update because I had no internet connection. So, after rebooting in Safe Mode With Networking I updated the Malwarebytes Anti-Malware.

Ran MBAM and it did request that I reboot, which I did. When the computer rebooted, it went immediately to my normal Windows start-up (even though I had pressed F8 to boot up again in Safe Mode).

Computer seems to be behaving normally.

You have been so helpful; I really appreciate your time and effort.

Am I cured??

Thanks, vict0r!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


DDS (Ver_10-03-17.01) - NTFSx86
Run by Janice Gilford at 10:42:08.34 on Sun 07/18/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2496 [GMT -5:00]

AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\OEM05Mon.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
svchost.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
J:\dds.scr
C:\WINDOWS\system32\wscript.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080609
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ECenter] "c:\dell\e-center\EULALauncher.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [OEM05Mon.exe] "c:\windows\OEM05Mon.exe"
mRun: [Kernel and Hardware Abstraction Layer] "c:\windows\KHALMNPR.EXE"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [REGSHAVE] "c:\program files\regshave\REGSHAVE.EXE" /AUTORUN
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_06\bin\jusched.exe"
mRun: [HotSync] "c:\program files\palmsource\desktop\HotSync.exe" -AllUsers
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [sta] rundll32 "kzpwp.dll",,Run
dRun: [bxnxwnyy] c:\documents and settings\janice gilford\local settings\application data\lynaqgkdp\cycitnntssd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnotes\psnotes.exe
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search - ?p=ZNxdm824YYUS
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: sun.com\www
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/vwhpro/EN/install/gtdownlr.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226967206175
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn.mc.vanderbilt.edu/dana-cached/sc/JuniperSetupClient.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janice~1\applic~1\mozilla\firefox\profiles\266phpu8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.search-star.net/?sid=10101035100&s=c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-9 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-6-9 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-6-9 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-9 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-9 35272]
R3 OEM05Afx;Provides a software interface to control audio effects of OEM005 camera.;c:\windows\system32\drivers\oem05afx.sys [2008-6-9 141376]
R3 OEM05Vfx;Creative Camera OEM005 Video VFX Driver;c:\windows\system32\drivers\oem05vfx.sys [2008-6-9 7424]
R3 OEM05Vid;Creative Camera OEM005 Driver;c:\windows\system32\drivers\oem05vid.sys [2008-6-9 235616]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-6-9 31616]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-6-9 606736]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-9 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-9 40552]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2010-07-18 15:27:41 0 d-----w- c:\docume~1\janice~1\applic~1\Malwarebytes
2010-07-18 15:27:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-18 15:27:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-18 15:27:31 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-18 15:27:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-16 17:12:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-07-16 17:12:20 0 ----a-w- c:\windows\system32\perf73845.dat
2010-07-16 17:12:15 150 ----a-w- C:\zrpt.xml
2010-07-02 16:34:34 0 d-----w- c:\windows\Performance
2010-07-02 16:34:06 0 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2010-06-29 21:25:09 69632 ----a-w- c:\windows\Alcmtr.exe
2010-06-23 15:16:09 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-23 15:16:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-29 14:30:23 256 ----a-w- c:\documents and settings\janice gilford\pool.bin
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-06-22 13:18:32 76 --sh--r- c:\windows\CT4CET.bin

============= FINISH: 10:45:23.39 ===============

 

[janicelg]

New Information

vict0r,
Two "error" messages when I just rebooted my computer.

Message #1, center of deskop screen view:

RUNDLL
Error loading kzpwp.dll
The specified module could not be found.
OK (clickable button)​

Message #2, right bottom of screen in tray:

Malicious software was removed
from your computer. Click here to complete the removal
process.
(Points to a clickable icon in tray)​

Both messages have a white "X" in a red circle that strongly resemble icons used by the Defense Center malware.

I clicked "OK" for message #1 and it went away.
I closed message #2 without taking any action at all.

Thanks so much for you help and recommendations.
Janice

 

[janicelg]

P.S. New Information

Actually, vict0r, I attempted to close the "malicious software" message, but it won't close, just immediately opens back up.
Thanks,
Janice

 

[janicelg]

Ugh! More new information

Google redirects to other search "engines" instead of going to the link that is clicked.
Thanks, Janice

 

[vict0r]

Actually, vict0r, I attempted to close the "malicious software" message, but it won't close, just immediately opens back up.

It seems to me that this may be a message from a fake Anti Virus.

Am I cured??

Unfortunately not . Since the MBAM log shows many serious infections, it is still not even clear whether cleaning can be successfully completed.


Backdoor Warning

Your computer has multiple infections, including a Backdoor.

A backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. It compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user. Typically it's installed without user interaction through security exploits, and can severely compromise system security.

These type of infections may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware.

These backdoor infections may also collect and transmit personally identifiable information, without your consent and severely degrade the performance and stability of your computer.

A backdoor infection can give intruders complete control of your computer, logs your keystrokes, obtain passwords, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
  Do NOT change your passwords from this computer as the attacker may be able to get all the new passwords and transaction records.
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Due to the backdoor's functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of infection, the best course of action would be to do a reformat and re-installation of the operating system (OS). This decision will have to be made by you...

We can attempt to clean this machine but we will not guarantee that it won't still be compromised, afterwards.

To help you understand more, please take some time to read the following articles:
When should I re-format and reinstall my OS
What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
How and Where to backup your files
Restoring your backups

Please let me know how you would like to proceed.
Thanks

 

[janicelg]

Start New <<deep sigh>>

vict0r,
I guess I will have to go with the option to wipe the HD and reinstall.... :sad: This is such a nightmare. I guess I was "due" since I've had home computers since 1987, but I never click things and just can't understand how that darned stuff got in there.

I have already begun making the changes you suggested r/t banks, online accounts, etc.

I am wondering about changing info r/t to my modem, also...like the WEP key, etc. Comcast customer. That would mean, of course, reconnecting the RJ45 cable.

When I connect it up, can I safely upload all my pics to Picasa Web? And other data and music files to some alternate temp backup location or to a USB drive?

So..., please advise...again.

I am so appreciative of your help!
Janice

 

[vict0r]

I'm sorry about the delay. I will post a followup as soon as possible.

 

[janicelg]

OK + Problem

Please don't worrry about the delay, vict0r. I am just grateful for your help.

I have run into another problem: i was going to move my music, pictures, and data files to CDs or DVDs and my computer no longer can access my CD drive (D. I rebooted several times, but each time I try to access that drive, I get an error message that says it's inaccessible. Now, I am not sure where to move those files.

Would be be ok to run Picasa on that computer to upload my pics to Picasa Web?

Would it be ok to run iTunes and sync my iPod one last time to retrieve all of my music?

Thanks so much, again and again, Janice

 

[vict0r]

Hi.

You don't need to click stuff to get your computer infected. Unfortunately it's enough to visit a website with malicious code taking advantage of a newly discovered security exploit.

Do you need any help with the reinstall?

I am wondering about changing info r/t to my modem, also...like the WEP key, etc. Comcast customer. That would mean, of course, reconnecting the RJ45 cable.

This is a good idea. WPA2-PSK offers the best level of security, but you might need to use WPA-AES for compatibility reasons. Make sure you use a secure password/passphrase. The old WEP encryption system is not secure.

When I connect it up, can I safely upload all my pics to Picasa Web? And other data and music files to some alternate temp backup location or to a USB drive?

In this case backups of pictures, data and music can be done as you describe. You can run rkill as previously described to stop the fake anti virus installed on your computer. This might make it easier to perform the backups. If you still can't access the cd-burner, I'll be happy to suggest some troubleshooting of the problem.


I'd be grateful if you could reply to this post so that I know you have read it and, if you have no further questions, the thread can then be closed.

There are a couple of things you should do immediately after installing Windows and before surfing the net:


Security Updates for Windows, Internet Explorer & Microsoft Office

Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. You need to visit the Microsoft Update site repeatedly and perform the update until no further important updates are offered. This will make sure all the updates released since your computer was delivered is installed.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it and allow the ActiveX control to install.

Make sure automatic updates for Windows XP is enabled to keep your system updated (get the latest patches from Microsoft to fix bugs and security holes):

• Go to Start > Control Panel > Automatic Updates and select one of these options:
  1. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  2. Select Download updates for me, but let me choose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  3. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Install and update an Anti Virus

New viruses come out every minute, so it is essential that you have the latest signatures for your anti virus program to provide you with the best possible protection from malicious software.

NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Here are a few FREE alternatives if you have not paid for a product:

• Avira AntiVir Personal- Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.
• avast! Free Antivirus - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
• Microsoft Security Essentials - Microsoft's free Anti Virus program

Secure your computer further:

Consider using the following programs to secure your computer further:

• Hosts File
  Please use the following for the added protection: MVPS Hosts, you will find more information regarding hosts files there. A simple explanation of what a Hosts file does is here (includes a description on how to use HostsXpert to easily download and manage your hosts file).
  
  
• Malwarebytes Anti-Malware
  Download from here. Update and perform a quick scan 1-2 times a week.
  
  
• WinPatrol
  As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

It is ABSOLUTELY ESSENTIAL to keep Windows and all of your security programs up to date.


Read these articles to learn more about how to protect yourself while on the internet:

• So how did I get infected in the first place? by Tony Klein.
• Miekies' prevention suggestions

 

[janicelg]

Plan of Action

vict0r,
Here is my plan:

1. Run rkill again
2. Reconnect computer to modem
3. Offload pics to Picasa Web
4. Disconnect from modem
5. Offload music and data files to cds/dvds if I can access my cd drive.

Do you have suggestions for how I can gain access to the cd drive, if rkill doesn't take care of that? Remember, I can't use Task Manager because I have been locked out of it by the very mean viruses.

Your post lists MVPS, Malwarebytes, and WinPatrol. Do you recommend running all three of these programs? I am running Spybot and Malwarebytes now, on both of my computers.)

Once those steps are completed, I'll wipe and reload the OS. I think I can do that without problems.

Again, my thanks, vict0r. I couldn't have managed all of this without your help.
Janice

 

[vict0r]

Hi, that seems to be a good plan.

You might want to change the password for Picasa from a clean computer after the upload.

If the drive does not work after you have run rkill, then first check devicemanager (Start -> Run > devmgmt.msc) if it reports any problems with the device driver for the drive (there should not be a yellow exclamation mark by the device). You might want to reinstall the driver and possibly run Fixpolicies (see below) to access the devicemanager.

If there is no problem with the driver, then you can try this excellent and free software which is good at detecting devices: http://infrarecorder.org/. Please verify that your backups are good before you wipe the drive.

Try this to temporarily fix taskmanager:

Please Download FixPolicies.exe, a self-extracting ZIP archive from Here and Save it to your Desktop.

• Double-click FixPolicies.exe.
• Click the "Install" button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies.exe.
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
• A black box should briefly appear and then close. This should enable the taskmanager, at least until the malware infection resets the registry policy keys again. You can run this as many times as you like. A permanent fix requires removing the infection.

If you could not get the drive to work previously, then please try again after running Fixpolicies.

It is possible we need to remove the interfering infection to get the drive to work or you might have to use a usb storage to backup your files (flash drive or external hard drive).

Your post lists MVPS, Malwarebytes, and WinPatrol. Do you recommend running all three of these programs? I am running Spybot and Malwarebytes now, on both of my computers.)

You can run all three, however do not run Winpatrol if you use Teatimer (part of Spybot Search&Destroy). Winpatrol, the paid version of MBAM and likely any other realtime anti malware solutions will conflict with Teatimer.

 

[janicelg]

Will do

vict0r, I'll try all of that. If any problems, I'll repost. Would I start a new thread or continue with this one?

I'll see if I can get to that today, but after today, I'm going to be away from my computer for a week. I need to get this mess out of my mind for a bit.
Thanks, Janice

 

[vict0r]

Hi

Thanks for letting me know.

Threads are normally closed after 4 days of inactivity and you might have to start a new thread if you do not post within the limit.

 

[janicelg]

Ready to Wipe and (Re)Install OS

I think I am set, vict0r.

Thanks to infrarecorder.org, I was able of offload everything. What a great tool! Without it, I couldn't access my cd/dvd drive, even with your other suggestions.

I am ready to begin the wipe and (clean) OS installation of the original Win XP, but will upgrade immediately to Win 7 to match my laptop. (Nuisance to do it that way, but it's cheaper to do it that way than to purchase the full Win 7 installation pkg.) Once I have done that, I'll deal with Comcast and resetting or changing my SSID / WEP information.

Then, of course, add all the antivirus and malware protection.

Then, install the programs I use and need.

Does that order sound about right?

Once again, dear vict0r, THANKS!!!
Janice:thanks: