XP infected with softav

Status
Not open for further replies.
G

gianlucav

New member
My mini9 running XP has been infected with what I think is softav. It started showing dialogs saying XXXX was infected by a virus, and showing a dialog asking if I wanted to install/activate something called soft antivirus. I was not able to open any application like cmd.exe or taskmanager, they would close immediately.

I was able to start task manager before that malware was starting, and I was able to kill it. Then I run regedit I was able to prevent that crap executable (something like wscmrmqtssd.exe) to run at boot time (the Run keys under HKLM and HKCU). However IE and Chrome still don't work, I'm not able to browse any website.

Help!

Have a nice day
GV
 
Hello gianlucav and welcome to the forums.

:snwelcome:

I would first suggest you browse over to the following website and follow the Automated Removal Instructions. In particular this infection sets a proxy which is why you cannot browse. The instructions will explain how to fix that.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft

Then post the MalwareBytes log for review.

If you are able to get through those steps then please read through the instructions at this link.

Then post your DDS log back here for me to review.

Please do not start a new topic but reply back here.

Regards,
Dave
 
I followed the instructions to remove avsoft and as soon as I disabled the proxy settings, everything started working again.
I run MBAM and it came clean, the log is the following one:

---
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4073

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/9/2010 9:49:54 PM
mbam-log-2010-05-09 (21-49-54).txt

Scan type: Full scan (C:\|)
Objects scanned: 139131
Time elapsed: 12 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
---

DDS Log:

---

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gianluca Varenni at 21:59:05.54 on Sun 05/09/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1297 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDA.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Gianluca Varenni\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Gianluca Varenni\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Gianluca Varenni\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Gianluca Varenni\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\gianluca varenni\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [\\sagre\EPSON NX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieda.exe /fu "c:\docume~1\gianlu~1\locals~1\temp\E_S192.tmp" /EF "HKCU"
uRun: [kknlfnja] c:\documents and settings\gianluca varenni\local settings\application data\xyrkhwwoj\wscmrmqtssd_.exe
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [kknlfnja] c:\documents and settings\gianluca varenni\local settings\application data\xyrkhwwoj\wscmrmqtssd_.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-9-22 9856]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-6 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-9-20 93968]

=============== Created Last 30 ================

2010-05-07 04:17:54 0 d-----w- c:\docume~1\gianlu~1\applic~1\Malwarebytes
2010-05-07 04:17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 04:17:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 04:17:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 04:17:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-07 03:19:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-06 15:01:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 15:01:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 14:52:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-06 14:50:42 0 d-----w- c:\program files\Lavasoft
2010-04-18 21:14:03 0 d-----w- c:\documents and settings\gianluca varenni\System
2010-04-18 21:14:03 0 d-----w- c:\docume~1\gianlu~1\applic~1\SmartDraw
2010-04-18 21:11:11 0 d-----w- c:\program files\SmartDraw 2010
2010-04-10 06:11:18 0 d-----w- c:\program files\IKEA HomePlanner
2010-04-10 06:10:20 0 d-----w- c:\program files\common files\Wise Installation Wizard

==================== Find3M ====================

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 21:59:23.10 ===============

---

Thanks!
GV
 
Hi,

Glad it's running better. Still showing some signs of infection there.

We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
 
Here it is.

ComboFix 10-05-10.02 - Gianluca Varenni 05/10/2010 20:21:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1265 [GMT -7:00]
Running from: c:\documents and settings\Gianluca Varenni\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\GIANLU~1\LOCALS~1\Temp\install_flash_player.exe
c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\xyrkhwwoj
c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\xyrkhwwoj\wscmrmqtssd.exe
c:\documents and settings\Gianluca Varenni\System
c:\documents and settings\Gianluca Varenni\System\win_qs8.jqx

.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-07 04:17 . 2010-05-07 04:17 -------- d-----w- c:\documents and settings\Gianluca Varenni\Application Data\Malwarebytes
2010-05-07 04:17 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 04:17 . 2010-05-07 04:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 04:17 . 2010-05-07 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-07 04:17 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 03:19 . 2010-05-06 15:00 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-06 15:01 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 15:01 . 2010-05-06 15:00 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 14:52 . 2010-05-06 14:52 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-06 14:52 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-06 14:50 . 2010-05-06 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-06 14:50 . 2010-05-06 14:52 -------- d-----w- c:\program files\Lavasoft
2010-04-18 21:14 . 2010-04-18 21:14 -------- d-----w- c:\documents and settings\Gianluca Varenni\Application Data\SmartDraw
2010-04-18 21:11 . 2010-04-18 21:14 -------- d-----w- c:\program files\SmartDraw 2010

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 03:24 . 2009-09-23 03:28 -------- d-----w- c:\documents and settings\Gianluca Varenni\Application Data\Skype
2010-05-11 03:13 . 2009-09-23 03:30 -------- d-----w- c:\documents and settings\Gianluca Varenni\Application Data\skypePM
2010-04-18 21:14 . 2009-09-23 02:46 12328 ----a-w- c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-10 06:11 . 2010-04-10 06:11 -------- d-----w- c:\program files\IKEA HomePlanner
2010-04-10 06:10 . 2010-04-10 06:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-30 05:25 . 2010-03-30 05:25 -------- d-----w- c:\program files\Common Files\Skype
2010-03-24 18:17 . 2010-03-24 08:04 952768 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6125\AdobeARM.exe
2010-03-24 18:17 . 2010-03-24 08:04 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6125\AdobeExtractFiles.dll
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6125\ReaderUpdater.exe
2010-03-24 18:17 . 2010-03-24 08:04 326056 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Reader\9.3\ARM\6125\AcrobatUpdater.exe
2010-03-09 11:09 . 2008-04-25 20:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43 . 2008-04-25 20:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2008-04-25 20:33 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2008-04-25 20:33 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-25 20:33 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2008-04-25 20:33 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-04-25 20:33 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-23 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Aim"="c:\program files\AIM\aim.exe" [2009-09-16 3634024]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-03-09 26100520]
"\\sagre\EPSON NX100 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIEDA.EXE" [2008-02-04 188928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-07-11 537896]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2008-07-11 492840]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-13 16876032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-14 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-14 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-14 137752]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-7-30 604776]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [9/22/2009 7:14 PM 9856]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [5/6/2010 8:01 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 8:52 AM 1285864]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [9/20/2009 11:46 AM 93968]

--- Other Services/Drivers In Memory ---

*Deregistered* - MBAMSwissArmy
.
Contents of the 'Scheduled Tasks' folder

2010-05-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:59]

2010-03-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3520309029-3036716248-3072606560-1006Core1cac72ac17536de.job
- c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-23 02:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-kknlfnja - c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\xyrkhwwoj\wscmrmqtssd_.exe
HKLM-Run-kknlfnja - c:\documents and settings\Gianluca Varenni\Local Settings\Application Data\xyrkhwwoj\wscmrmqtssd_.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-10 20:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-10 20:29:37
ComboFix-quarantined-files.txt 2010-05-11 03:29

Pre-Run: 1,303,379,968 bytes free
Post-Run: 1,460,965,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 97AE1306C8CACDD4A0498CBAAA0E05C7
 
Here it is. Regarding the lack of antivirus, I personally don't like them too much. Usually too intrusive and using non-conventional and undocumented OS features and APIs. On my work laptop however I do use Antivir.

Have a nice day
GV

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gianluca Varenni at 22:52:31.18 on Tue 05/11/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1439 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Battery Meter\BTMeter.exe
C:\Program Files\Wireless Select Switch\WLSS.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEDA.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Gianluca Varenni\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Google Update] "c:\documents and settings\gianluca varenni\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [\\sagre\EPSON NX100 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieda.exe /fu "c:\docume~1\gianlu~1\locals~1\temp\E_S192.tmp" /EF "HKCU"
mRun: [BTMeter] c:\program files\battery meter\BTMeter.exe
mRun: [WLSS] c:\program files\wireless select switch\WLSS.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [2009-9-22 9856]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-6 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1285864]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-9-20 93968]

=============== Created Last 30 ================

2010-05-11 03:20:14 0 d-sha-r- C:\cmdcons
2010-05-11 03:18:07 98816 ----a-w- c:\windows\sed.exe
2010-05-11 03:18:07 77312 ----a-w- c:\windows\MBR.exe
2010-05-11 03:18:07 256512 ----a-w- c:\windows\PEV.exe
2010-05-11 03:18:07 161792 ----a-w- c:\windows\SWREG.exe
2010-05-07 04:17:54 0 d-----w- c:\docume~1\gianlu~1\applic~1\Malwarebytes
2010-05-07 04:17:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-07 04:17:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-07 04:17:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-07 04:17:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-07 03:19:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-05-06 15:01:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-06 15:01:17 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-06 14:52:31 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-06 14:50:42 0 d-----w- c:\program files\Lavasoft
2010-04-18 21:14:03 0 d-----w- c:\docume~1\gianlu~1\applic~1\SmartDraw
2010-04-18 21:11:11 0 d-----w- c:\program files\SmartDraw 2010

==================== Find3M ====================

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 22:52:49.62 ===============
 
Regarding the lack of antivirus, I personally don't like them too much. Usually too intrusive and using non-conventional and undocumented OS features and APIs.
Click to expand...
Forgive me if I sound "flippant", but how's that working out for you? Ultimately though, it's your computer and you control what you want or don't want to do with it.

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new DDS log. Just DDS.txt. .
 
IndiGenus said:
Forgive me if I sound "flippant", but how's that working out for you? Ultimately though, it's your computer and you control what you want or don't want to do with it.

I never had problems, as long as I'm the only one using the computer. The computer which is infected is used by other people in the family as well...

dds and combofix logs attached.
Click to expand...
 
How is it running?

I would suggest you do an online virus scan, even if you don't want to run an AV real-time.

Please do an online scan with Kaspersky WebScanner

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
 
Here is the report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, June 2, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, June 02, 2010 09:59:40
Records in database: 4195772
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 32700
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 01:16:00


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\Gianluca Varenni\Local Settings\Application Data\xyrkhwwoj\wscmrmqtssd.exe.vir Infected: Trojan.Win32.FraudPack.avdn 1
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP1\A0000014.exe Infected: Trojan.Win32.FraudPack.avdn 1

Selected area has been scanned.
 
Just 2 items and both will be cleared out when we uninstall combofix.

Uninstall Combofix
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
The above procedure will:
  • Delete the following: ComboFix and its associated files and folders.
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
 
Results of screen317's Security Check version 0.99.4
Windows XP Service Pack 3
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
Java(TM) 6 Update 15
Out of date Java installed!
Adobe Flash Player 10.0.32.18
Adobe Reader 9.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````
 
As you can see, Java needs updating.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u20 allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.

++++++++++++++++++++++++

I'll also give you my full prevention speech in case you want to set anything up on this PC as there's just about ZERO protection right now.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here is a list of some free and evaluation versions to try:Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide
better security than the Windows Firewall.For a tutorial on Firewalls and a listing of some other available ones see the link below:
Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -
Use Winpatrol to take control of your PC and provide another layer of security.
Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -
http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -
Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,
Dave
 
I updated Java and installed antivir, which i think is still a lightweight antivirus and not too intrusive.

Thanks for all the help.
 
Status
Not open for further replies.
Back
Top