Tasker exe Trojan virus issue

[Luebs]

Hello,
Tasker exe Trojan virus that was not removed by Anti-malware

I still have a tasker exe Tojan virus. Anti- Malware did not remove.

Any help would greatly be appreciated

Thank you


Luebs





DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 13:48:38 on 2011-10-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1305 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JOHNLU~1\LOCALS~1\Temp\acd\tasker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-01 21:14:40 452418 ----a-w- c:\documents and settings\john luebbers\application data\4.exe
2011-10-01 21:02:45 452418 ----a-w- c:\documents and settings\john luebbers\application data\1.exe
2011-10-01 20:56:43 452418 ----a-w- c:\documents and settings\john luebbers\application data\2.exe
2011-10-01 17:55:05 245760 ----a-w- c:\documents and settings\john luebbers\application data\C.tmp
2011-10-01 17:55:02 452418 ----a-w- c:\documents and settings\john luebbers\application data\B.exe
2011-10-01 17:07:36 -------- d-----w- c:\windows\system32\Win64
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-05 22:37:00 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-07-05 22:37:00 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-07-05 20:05:36 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
.
============= FINISH: 13:50:02.51 ===============

 

[Dakeyras]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post the appropriate logs in the Malware Removal forum and wait for help.

Hi and welcome back to Safer Networking.

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

• I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine!
• The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Refrain from running self fixes as this will hinder the malware removal process.
• It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

Out of date Adobe and Java installations pose a security risk. They can be used by malware as a means to infect a computer and or re-infect. We will update both in due course.

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Adobe Reader X
Java(TM) 6 Update 23

To do so, click once on each of the above in turn to highlight and then click on the Remove button.

Reset SP3 Firewall:

Click on Start >> Run... and cut/paste in the following and click on OK

firewall.cpl

Click on the Advanced tab >> Restore Defaults >> At the prompt click on Yes >> OK

Now click on the General tab >> select On(recommended) >> OK.

Scan With RKUnHooker:

• Please Download Rootkit Unhooker Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report somewhere where you can find it. Click Close.
• Copy the entire contents of the report and paste it in a reply here.

Note: You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• RKUnHooker Log.
• A new DDS Log.

 

[Luebs]

Hi Dakeyras,

Thank you so much for taking the time to assist me with my issues.
When I try to past or try to attache the Rootkit it says it is too big. Any thoughts? I have the DDS log below


Let me know what you think.

Thanks again!

Luebs



DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 17:11:27 on 2011-10-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1306 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-05 20:39:49 249856 ----a-w- c:\documents and settings\john luebbers\application data\1.tmp
2011-10-03 19:39:33 253952 ----a-w- c:\documents and settings\john luebbers\application data\D.tmp
2011-10-01 21:14:40 452418 ----a-w- c:\documents and settings\john luebbers\application data\4.exe
2011-10-01 21:02:45 452418 ----a-w- c:\documents and settings\john luebbers\application data\1.exe
2011-10-01 20:56:43 452428 ----a-w- c:\documents and settings\john luebbers\application data\2.exe
2011-10-01 17:55:05 245760 ----a-w- c:\documents and settings\john luebbers\application data\C.tmp
2011-10-01 17:55:02 452418 ----a-w- c:\documents and settings\john luebbers\application data\B.exe
2011-10-01 17:07:36 -------- d-----w- c:\windows\system32\Win64
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 17:12:44.79 ===============

 

[Luebs]

Dakeyras,

My computer is working much much slower now.
I also keep getting the attached message

Thanks

Luebs

 

[Dakeyras]

Hi.

Thank you so much for taking the time to assist me with my issues.

You're welcome!

When I try to past or try to attache the Rootkit it says it is too big.

Have you tired sending the log to a Zipfile? If not please do so and then check if it small enough to attach, thank you.

My computer is working much much slower now.
I also keep getting the attached message

OK and thanks for the update.

Scan with RogueKiller:

Please download RogueKiller to your desktop

Alternate download is here.

• Quit all running programs
• Double-click on RogueKiller.exe to start the application.
• When prompted, type 1 and then Enter.
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next reply.

 

[Luebs]

Greetings Dakeyras,

I did try to zip and the file was still too big. :sad:

Any thoughts?

Here are the RogueKiller results.

Thanks again. Hope you are having a good day!

Luebs

RogueKiller V6.1.1 [09/28/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: John Luebbers [Admin rights]
Mode: Scan -- Date : 10/06/2011 14:35:54

Bad processes: 0

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

Particular Files / Folders:

Driver: [LOADED]
S_SSDT[552] : Unknown -> HOOKED (Unknown @ 0xBA7AA2A5)
S_SSDT[549] : Unknown -> HOOKED (Unknown @ 0xBA7AA2A0)

HOSTS File:
ÿþ1

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

 

[Dakeyras]

Hi.

I did try to zip and the file was still too big. :sad:

Any thoughts?

Maybe you did not quite run the scan as I outlined by genuine mistake and or just one of them things and the log is just very large(it happens upon occasion). OK as it stands not a problem as I have enough information from the RogueKiller scan.

Thanks again. Hope you are having a good day!

You're welcome and indeed I am thank you!

Download/Run ComboFix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs <-- Click on this link.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If ComboFix detects Rootkit activitity and asks to reboot the system, please allow this to be done...If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart(reboot) the computer immediately.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix Should Not be used unless requested by a forum helper

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any other symptoms and or problems encountered?
• ComboFix Log.
• A new DDS Log.

 

[Luebs]

Hello Dakeyras

Hope you are having a good weekend!

The computer is working faster but I am getting an error when I start up. I attached on error attachement along with and message when I ran Combofix

Combofix log is attached along with nes DDS.

Thanks again for all your help

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by John Luebbers at 19:23:38 on 2011-10-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1336 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292535005390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{44C4E563-24F1-41FA-A1A3-B9EC8A50ECD2} : DhcpNameServer = 209.18.47.61 209.18.47.62
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-17 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-17 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-17 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-17 66616]
S3 DSB650TX;D-Link DSB-650TX USB 10/100 Ethernet Adapter;c:\windows\system32\drivers\DSB650TX.sys [2010-12-16 26958]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 TrueSight;TrueSight;c:\documents and settings\john luebbers\desktop\TrueSight.sys [2011-10-6 111104]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2007-7-27 14336]
.
=============== Created Last 30 ================
.
2011-10-08 23:09:36 17639 ----a-w- c:\documents and settings\john luebbers\application data\13.exe
2011-09-26 22:48:49 -------- d-----w- c:\program files\iPod
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-09-26 22:42:15 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 19:24:48.73 ===============

 

[Dakeyras]

Hi.

Hope you are having a good weekend!

Fine thank you and likewise!

I am getting an error when I start up. I attached on error attachement along with and message when I ran Combofix

OK we should be able to deal with the first error but unfortunately I am unable to fully view the second. So what we will do is scan your machine with a different application so I can better ascertain what is going on now before anything further proactive as follows...

Scan with OTL:

Please download OTL and save it to your Desktop.

Alternate downloads are here and here.

• Double-click on OTL.exe to start OTL.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please post the contents of these 2 Notepad files in your next reply.

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• Both OTL logs. <-- Post them individually please, IE: one Log per post/reply.

 

[Luebs]

Hello Dakeyras

I have not used this computer since our last communication until now running OTL. I will check it out after my posts

Here is OTL

Thank You!

Luebs

 

[Luebs]

Dakeyras


Here is the extra attachement. Thanks again for all your support!

 

[Dakeyras]

Hi.

Thanks again for all your support!

You're welcome! In future no need to attach any logs I request unless I specify otherwise. Just post them please, thank you.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

Click on Start >> Run...(or the Windows key and R together) to bring up the Run box and and copy and paste in:

"C:\Program Files\ERUNT\ERUNT.EXE" %SystemRoot%\ERDNT\OTL-backup

and click on OK.

Custom OTL Script:

• Double-click OTL.exe to start the program.
• Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:OTL
IE - HKU\S-1-5-21-1993962763-1715567821-839522115-1003\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O4 - Startup: C:\Documents and Settings\John Luebbers\Start Menu\Programs\Startup\wt4.exe ()
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2 C:\Documents and Settings\John Luebbers\Application Data\*.tmp files -> C:\Documents and Settings\John Luebbers\Application Data\*.tmp -> ]
[2011/10/10 15:23:14 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\2.exe
[2011/10/09 16:14:58 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\4.exe
[2011/10/08 21:16:43 | 000,448,171 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\22.exe
[2011/10/08 21:13:42 | 000,017,639 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\1F.exe
[2011/10/08 19:09:36 | 000,017,639 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Application Data\13.exe
[2011/10/06 14:38:31 | 000,111,104 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\TrueSight.sys
[2011/10/05 17:47:10 | 000,058,665 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\Maleware.zip
[2011/10/05 17:45:23 | 000,599,867 | ---- | M] () -- C:\Documents and Settings\John Luebbers\Desktop\Maleware.rtf
[2011/10/05 17:42:47 | 000,050,688 | ---- | M] () -- C:\Documents and Settings\John Luebbers\My Documents\Maleware.wps

:Files 
ipconfig /flushdns /c 
%systemroot%\prefetch\*.* 
C:\Documents and Settings\John Luebbers\Local Settings\temp\acd

:Commands
[Purity]
[ResetHosts]
[EmptyTemp]
[CreateRestorePoint]
[Reboot]

• Return to OTL, right-click in the Custom Scans/Fixes window (under the cyan bar) and choose Paste.
• Then click the red Run Fix button.
• Let the program run unhindered.
• If OTL asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.

Note: The logfile can also be located C: >> _OTL >> MovedFiles >> DD/DD/DD TT/TT.txt <-- denotes date/time log created.

Malwarebytes Anti-Malware:

• Launch the application, Check for Updates >> Perform quick scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• OTL Log from the Custom Script.
• Malwarebytes Anti-Malware Log.

 

[Luebs]

Dakeyras

Computer seems to be working better




All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1993962763-1715567821-839522115-1003\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk moved successfully.
C:\Program Files\ERUNT\AUTOBACK.EXE moved successfully.
C:\Documents and Settings\John Luebbers\Start Menu\Programs\Startup\wt4.exe moved successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Documents and Settings\John Luebbers\Application Data\1.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\17.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\3.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\33.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\7.tmp deleted successfully.
C:\Documents and Settings\John Luebbers\Application Data\2.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\4.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\22.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\1F.exe moved successfully.
C:\Documents and Settings\John Luebbers\Application Data\13.exe moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\TrueSight.sys moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\Maleware.zip moved successfully.
C:\Documents and Settings\John Luebbers\Desktop\Maleware.rtf moved successfully.
C:\Documents and Settings\John Luebbers\My Documents\Maleware.wps moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\John Luebbers\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\John Luebbers\Desktop\cmd.txt deleted successfully.
C:\WINDOWS\prefetch\2.EXE-02345D5E.pf moved successfully.
C:\WINDOWS\prefetch\3.EXE-04039925.pf moved successfully.
C:\WINDOWS\prefetch\4.EXE-35C7F51B.pf moved successfully.
C:\WINDOWS\prefetch\5.EXE-1936E897.pf moved successfully.
C:\WINDOWS\prefetch\A5053DA8.EXE-32474650.pf moved successfully.
C:\WINDOWS\prefetch\ALG.EXE-0F138680.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.3XE-09E9D153.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.3XE-10E166FB.pf moved successfully.
C:\WINDOWS\prefetch\ATTRIB.EXE-39EAFB02.pf moved successfully.
C:\WINDOWS\prefetch\AUTOBACK.EXE-14D36A86.pf moved successfully.
C:\WINDOWS\prefetch\AVNOTIFY.EXE-05ED5FD8.pf moved successfully.
C:\WINDOWS\prefetch\AVSCAN.EXE-07FC469C.pf moved successfully.
C:\WINDOWS\prefetch\AVWSC.EXE-0283F9DD.pf moved successfully.
C:\WINDOWS\prefetch\CCLEANER.EXE-0BCE437C.pf moved successfully.
C:\WINDOWS\prefetch\CF30874.3XE-08A56C19.pf moved successfully.
C:\WINDOWS\prefetch\CHCP.COM-18156052.pf moved successfully.
C:\WINDOWS\prefetch\CMD.3XE-32EEC145.pf moved successfully.
C:\WINDOWS\prefetch\CMD.EXE-087B4001.pf moved successfully.
C:\WINDOWS\prefetch\COMBOFIX-DOWNLOAD.3XE-28648E1C.pf moved successfully.
C:\WINDOWS\prefetch\COMBOFIX.EXE-039C43A3.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.3XE-1AD11928.pf moved successfully.
C:\WINDOWS\prefetch\CSCRIPT.EXE-1C26180C.pf moved successfully.
C:\WINDOWS\prefetch\DDS[1].SCR-07CCB91D.pf moved successfully.
C:\WINDOWS\prefetch\DDS[1].SCR-3A2C7FD2.pf moved successfully.
C:\WINDOWS\prefetch\DEFRAG.EXE-273F131E.pf moved successfully.
C:\WINDOWS\prefetch\DFRGNTFS.EXE-269967DF.pf moved successfully.
C:\WINDOWS\prefetch\DUMPREP.EXE-1B46F901.pf moved successfully.
C:\WINDOWS\prefetch\DWWIN.EXE-30875ADC.pf moved successfully.
C:\WINDOWS\prefetch\E26AFD46.EXE-26BB194F.pf moved successfully.
C:\WINDOWS\prefetch\EMHOHS.EXE-2C1D521A.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT-SETUP.EXE-1D13226E.pf moved successfully.
C:\WINDOWS\prefetch\ERUNT.EXE-10F447C7.pf moved successfully.
C:\WINDOWS\prefetch\FIND.EXE-0EC32F1E.pf moved successfully.
C:\WINDOWS\prefetch\FINDSTR.EXE-0CA6274B.pf moved successfully.
C:\WINDOWS\prefetch\FLASHUTIL10R_ACTIVEX.EXE-1A2E5C1D.pf moved successfully.
C:\WINDOWS\prefetch\FXSSVC.EXE-3B8F7819.pf moved successfully.
C:\WINDOWS\prefetch\GREP.3XE-0FD7DFD4.pf moved successfully.
C:\WINDOWS\prefetch\GREP.3XE-254D6273.pf moved successfully.
C:\WINDOWS\prefetch\GSAR.3XE-1971B17C.pf moved successfully.
C:\WINDOWS\prefetch\GUARDGUI.EXE-00ECD849.pf moved successfully.
C:\WINDOWS\prefetch\HANDLE.3XE-10DA2EFC.pf moved successfully.
C:\WINDOWS\prefetch\HELPSVC.EXE-2878DDA2.pf moved successfully.
C:\WINDOWS\prefetch\HIDEC.3XE-111262DC.pf moved successfully.
C:\WINDOWS\prefetch\HIDEC.3XE-2D8618DD.pf moved successfully.
C:\WINDOWS\prefetch\HSBCA.EXE-19EC324E.pf moved successfully.
C:\WINDOWS\prefetch\ICRDCLL.EXE-23A46A26.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-0A31FE70.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-12915967.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-12BBAE74.pf moved successfully.
C:\WINDOWS\prefetch\IEXPLORE.EXE-27122324.pf moved successfully.
C:\WINDOWS\prefetch\IFRMEWRK.EXE-32B41199.pf moved successfully.
C:\WINDOWS\prefetch\IMAPI.EXE-0BF740A4.pf moved successfully.
C:\WINDOWS\prefetch\IPODSERVICE.EXE-3192DE38.pf moved successfully.
C:\WINDOWS\prefetch\IS-7G466.TMP-396AE5E3.pf moved successfully.
C:\WINDOWS\prefetch\IWRAP.EXE-082C3803.pf moved successfully.
C:\WINDOWS\prefetch\JAUREG.EXE-009F59AE.pf moved successfully.
C:\WINDOWS\prefetch\JAVAW.EXE-2DC32ABC.pf moved successfully.
C:\WINDOWS\prefetch\JQS.EXE-1D781F77.pf moved successfully.
C:\WINDOWS\prefetch\Layout.ini moved successfully.
C:\WINDOWS\prefetch\LOGONUI.EXE-0AF22957.pf moved successfully.
C:\WINDOWS\prefetch\MBAM.EXE-0BEE0439.pf moved successfully.
C:\WINDOWS\prefetch\MBR.DAT-037D4AC1.pf moved successfully.
C:\WINDOWS\prefetch\MBR.DAT-35800A8F.pf moved successfully.
C:\WINDOWS\prefetch\MSI21.TMP-2C01F87B.pf moved successfully.
C:\WINDOWS\prefetch\MSIEXEC.EXE-2F8A8CAE.pf moved successfully.
C:\WINDOWS\prefetch\MSIMN.EXE-38BA891D.pf moved successfully.
C:\WINDOWS\prefetch\MSOHELP.EXE-1D219C01.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMD.3XE-0A841DB5.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMD.3XE-117BB35D.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMDB.EXE-137B12EA.pf moved successfully.
C:\WINDOWS\prefetch\NIRCMDC.3XE-03B38F81.pf moved successfully.
C:\WINDOWS\prefetch\NOTEPAD.EXE-336351A9.pf moved successfully.
C:\WINDOWS\prefetch\NS9.TMP-2A89F400.pf moved successfully.
C:\WINDOWS\prefetch\NTOSBOOT-B00DFAAD.pf moved successfully.
C:\WINDOWS\prefetch\PEV.3XE-21FD478C.pf moved successfully.
C:\WINDOWS\prefetch\PEV.3XE-358EBDB6.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-1E96AF6F.pf moved successfully.
C:\WINDOWS\prefetch\PEV.DAT-3830FCB5.pf moved successfully.
C:\WINDOWS\prefetch\PEV.EXE-0806C34B.pf moved successfully.
C:\WINDOWS\prefetch\PEV.EXE-0CE2BF4A.pf moved successfully.
C:\WINDOWS\prefetch\PING.3XE-3020DEAF.pf moved successfully.
C:\WINDOWS\prefetch\PING.EXE-31216D26.pf moved successfully.
C:\WINDOWS\prefetch\POWERPNT.EXE-2F940E7E.pf moved successfully.
C:\WINDOWS\prefetch\PV.3XE-1C242CC7.pf moved successfully.
C:\WINDOWS\prefetch\QTTASK.EXE-342507FB.pf moved successfully.
C:\WINDOWS\prefetch\REGSVR32.EXE-25EEFE2F.pf moved successfully.
C:\WINDOWS\prefetch\RKUNHOOKERLE.EXE-0BD47249.pf moved successfully.
C:\WINDOWS\prefetch\RMBR.3XE-3AAE61A2.pf moved successfully.
C:\WINDOWS\prefetch\ROGUEKILLER.EXE-118CA665.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-1857459C.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-27538162.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-298E60C3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2CD85FD3.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-2EC34910.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-31610E45.pf moved successfully.
C:\WINDOWS\prefetch\RUNDLL32.EXE-483E13BB.pf moved successfully.
C:\WINDOWS\prefetch\SEARCHFILTERHOST.EXE-148579FB.pf moved successfully.
C:\WINDOWS\prefetch\SEARCHPROTOCOLHOST.EXE-34E0253A.pf moved successfully.
C:\WINDOWS\prefetch\SED.3XE-35CB81F4.pf moved successfully.
C:\WINDOWS\prefetch\SED.3XE-370DAEC3.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-126AF303.pf moved successfully.
C:\WINDOWS\prefetch\SED.DAT-1F97CCCB.pf moved successfully.
C:\WINDOWS\prefetch\SKYPE.EXE-30AE1A60.pf moved successfully.
C:\WINDOWS\prefetch\SORT.EXE-194AE83C.pf moved successfully.
C:\WINDOWS\prefetch\SVCHOST.EXE-3530F672.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.3XE-20CC4D60.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.3XE-2965A2D9.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.DAT-138F6A32.pf moved successfully.
C:\WINDOWS\prefetch\SWREG.DAT-1DFF5C49.pf moved successfully.
C:\WINDOWS\prefetch\SWSC.3XE-3AE13307.pf moved successfully.
C:\WINDOWS\prefetch\SWXCACLS.3XE-2D6ED659.pf moved successfully.
C:\WINDOWS\prefetch\SWXCACLS.3XE-392ED218.pf moved successfully.
C:\WINDOWS\prefetch\TASKED.EXE-325235E6.pf moved successfully.
C:\WINDOWS\prefetch\TASKKILL.EXE-0A8306E3.pf moved successfully.
C:\WINDOWS\prefetch\UNSECAPP.EXE-1A95A33B.pf moved successfully.
C:\WINDOWS\prefetch\UPDATE.EXE-2577D203.pf moved successfully.
C:\WINDOWS\prefetch\VERCLSID.EXE-3667BD89.pf moved successfully.
C:\WINDOWS\prefetch\WINWORD.EXE-37F6AE09.pf moved successfully.
C:\WINDOWS\prefetch\WKCALREM.EXE-23DFAF4B.pf moved successfully.
C:\WINDOWS\prefetch\WKDSTORE.EXE-397D96EA.pf moved successfully.
C:\WINDOWS\prefetch\WKGDCACH.EXE-09BEAA63.pf moved successfully.
C:\WINDOWS\prefetch\WKSCAL.EXE-10AB18FB.pf moved successfully.
C:\WINDOWS\prefetch\WKSWP.EXE-25E36596.pf moved successfully.
C:\WINDOWS\prefetch\WMIPRVSE.EXE-28F301A9.pf moved successfully.
C:\WINDOWS\prefetch\WMPLAYER.EXE-18DDEFA3.pf moved successfully.
C:\WINDOWS\prefetch\WORDPAD.EXE-24533991.pf moved successfully.
C:\WINDOWS\prefetch\WSCNTFY.EXE-1B24F5EB.pf moved successfully.
C:\WINDOWS\prefetch\WT4.EXE-0823C0E4.pf moved successfully.
C:\WINDOWS\prefetch\WUAUCLT.EXE-399A8E72.pf moved successfully.
C:\WINDOWS\prefetch\WUT3.EXE-2089B8A0.pf moved successfully.
C:\Documents and Settings\John Luebbers\Local Settings\temp\acd folder moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: John Luebbers
->Temp folder emptied: 778703 bytes
->Temporary Internet Files folder emptied: 5500462 bytes
->Java cache emptied: 12846 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 503 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.29.1 log created on 10122011_164440

Files\Folders moved on Reboot...
C:\Documents and Settings\John Luebbers\Local Settings\Temporary Internet Files\Content.IE5\8RU3S2P0\showthread[2].htm moved successfully.
C:\Documents and Settings\John Luebbers\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7905

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/12/2011 5:00:09 PM
mbam-log-2011-10-12 (17-00-09).txt

Scan type: Quick scan
Objects scanned: 176761
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\john luebbers\application data\16.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\18.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\34.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\1.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\5.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\8.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\john luebbers\application data\9.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

 

[Dakeyras]

Hi.

Computer seems to be working better

Good...

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go here to run the scan...Click on: Scan Now
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
  
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:

1. Scan for potentially unwanted applications
2. Scan for potentially unsafe applications
3. Enable Anti-Stealth Technology

• Now click on:
  
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
• Now click on:
  
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

 

[Luebs]

Dakeyras

I keep getting


"Internet Explorer cannot display the webpage" when I click on "

Please go here to run the scan...Click on: Scan Now"

Tried googling ESET Online Scanner: got same thing from other sites. Got another Avira Antivir pop up of virus again too.

Thanks

Luebs

 

[Dakeyras]

Hi.

Internet Explorer cannot display the webpage" when I click on

OK we will check this out shortly...

Got another Avira Antivir pop up of virus again too

Could you inform myself exactly what is being detected please.

Scan with aswMBR:

Please download aswMBR.exe to your desktop.

• Double-click the aswMBR.exe to run it
• When prompted with The application can use the Avast! Free Antivirus for scanning >> select No
• Now click on the Scan button to start scan
• On completion of the scan click Save Log, save it to your desktop and post the contents in your next reply

Note: There will also be a file on your desktop named MBR.dat(or similir) do not delete this for now it is a actual backup of the MBR(master boot record).

 

[Luebs]

Dakeyras

Ok now this is too weird. I get the same

"Internet Explorer cannot display the webpage" when I click on " aswMBR link.

If I google it and then try link I get same message. I can link and google link to other sites. Never seen anything like this.

Thoughts


Here is what the Avira says
A virus or unwanteded program 'TRDrop.Softomat.AN' was found in file 'C;\System Volume Information\...\A0183915.exe' Acees to file was denind.

 

[Dakeyras]

Hi.

Here is what the Avira says
A virus or unwanteded program 'TRDrop.Softomat.AN' was found in file 'C;\System Volume Information\...\A0183915.exe' Acees to file was denind.

Not a cause for concern, that merely denotes a infected System Restore point...which though actually infected can be used in therory still. Anyway once we have your machine malware free we will be flushing all old System Restore points and creating a new clean one etc...

Ok now this is too weird. I get the same

"Internet Explorer cannot display the webpage" when I click on " aswMBR link.

If I google it and then try link I get same message. I can link and google link to other sites. Never seen anything like this.

Thoughts

Indeed it is, as no appranent reason as to why but wondering if the fact we have flushed your machines DNS(domain name server cache) may account for such...

Though possible malware is still the culprit and or a knock on affect due to prior infections. So please carry out the following then try the ESET online scan again, thank you.

Reset IE8:

• Please download this Microsoft FixIt and save it to the desktop.
• Double click on MicrosoftFixit50195.exe select I Agree and click on Next.
• Follow the on-screen prompts.
• You may delete MicrosoftFixit50195.exe when finished and or keep it if any problems in the future with IE8.
• Next time IE8 is launched you will be prompted to reapply settings again, this is normal.

Note: Any add-ons will require to be reapplied after the above reset.

 

[Luebs]

Dakeyras

Ran Microsoft fixit then clicked on ESET
I get the same "Internet Explorer cannot display the webpage" when I click on it"
Sorry this is become more difficult.

New thoughts?

Thanks

Luebs

 

[Dakeyras]

Hi.

Ran Microsoft fixit then clicked on ESET
I get the same "Internet Explorer cannot display the webpage" when I click on it"

OK.

Are you using a Router at all? Plus do you have a XP Installation CD-ROM?

Sorry this is become more difficult.

New thoughts?

Not a problem I assure you. OK what we will do is scan your machine with a different application to see if I can work out exactly what the current issue is as follows...If in the event problems arise with downloading that we will merely take a different approach again.

Also we will run a quick scan with MBAM and if anything removed that will also give myself a better idea what is happening overall.

Malwarebytes Anti-Malware:

Note: If MBAM will neither update or is unable to scan merely inform myself in your next reply. As that in itself will be a further indication for myself etc.

• Launch the application, Check for Updates >> Perform quick scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Scan with RSIT:

• Please download Random's System Information Tool by random/random from here and save it to your desktop.

Make sure that RSIT.exe is on the your Desktop before running the application!

• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open:
  • log.txt will be opened maximized.
  • info.txt will be opened minimized.
• Please post the contents of both log.txt and info.txt.

Note: Both logs can also be located within this folder rsit at the root of your installed Hard-Drive. EG: C:\rsit

When completed the above, please post back the following in the order asked for:

• How is your computer performing now, any further symptoms and or problems encountered?
• Answers to my questions.
• Malwarebytes Anti-Malware Log.
• Both RSIT logs. <-- Post them individually please, IE: one Log per post/reply.