Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

[SOLVED] windows xp restore virus....help!!

This is a discussion on [SOLVED] windows xp restore virus....help!! within the Resolved HJT Threads forums, part of the Tech Support Forum category. hi there.... i'll start at the beginning to keep things in perspective, some of it might seem irrelevant and might


 
 
Thread Tools Search this Thread
Old 07-06-2011, 04:15 PM   #1
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4



hi there....

i'll start at the beginning to keep things in perspective, some of it might seem irrelevant and might indeed be so, but i am not computer literate and dont know which bit might be useful....

my wife has a samsung nc10 running intel atom with windows xp which was preinstalled. it was working fine till a month ago when the windows xp virus infected it.

i went on some websites and found that i could reverse the problem by simply restoring to an earlier date.....very naive of me to beleve it......but i did so.....and t worked......for a week...

then the virus came back with a vengeance.....and i found out that i need to boot in safe mode.....i did a goof at that point and changed the boot settings.......such that the computer went into a booting loop......

i got help at this forum......and got that sorted......so now the computer switches on......but very slow.....no desktop.....and everything hidden......i have followed all the instructions.....and here are the logs....

the dds is as follows...

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Natalia at 22:13:13 on 2011-07-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.518 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\Samsung\Samsung Update Plus\SUPBackGround.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
D:\Programs\iTunesHelper.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearch Page = hxxp://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*Yahoo! Search - Web Search
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\hrjebviq\pxbqlyre.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Ovasevurijanoxo] rundll32.exe "c:\windows\wzevc32.dll",Startup
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10r_ActiveX.exe -update activex
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [SUPBackGround] c:\program files\samsung\samsung update plus\SUPBackGround.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "d:\programs\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Xcekuhoga] rundll32.exe "c:\windows\usapoheb.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{36030B22-5785-44BA-BB09-978A000928E4} : DhcpNameServer = 192.168.1.254
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-4 11608]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-4-27 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-4 136360]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-4 61960]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-12 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-11-12 238464]
R4 Micorsoft Windows Service;Micorsoft Windows Service;\??\c:\docume~1\natalia\locals~1\temp\wjyblvkt.sys --> c:\docume~1\natalia\locals~1\temp\wjyblvkt.sys [?]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-4 269480]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-22 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-22 136176]
S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [2006-10-30 19840]
.
=============== Created Last 30 ================
.
2011-06-14 22:50:07 0 ---ha-w- c:\windows\afedogosixaxet.dll
2011-06-10 20:21:33 -------- d--h--w- c:\windows\pss
2011-06-08 21:44:28 116224 ---ha-w- c:\windows\system32\drivers\4163E8.tmp
2011-06-08 21:43:37 116224 ---ha-w- c:\windows\system32\drivers\1175B.sys
2011-06-08 21:41:24 116224 ---ha-w- c:\windows\system32\drivers\20058.sys
2011-06-08 21:39:46 -------- d--h--w- c:\documents and settings\natalia\local settings\application data\{0C5F94AD-AC74-4312-A65C-978870C89E73}
2011-06-08 21:39:01 116224 ---ha-w- c:\windows\system32\drivers\19554.sys
2011-06-08 21:38:39 -------- d--h--w- C:\spoolerlogs
2011-06-08 21:37:29 4224 ---ha-w- c:\windows\system32\beep.sys
2011-06-08 21:33:40 -------- d--h--w- c:\program files\hrjebviq
.
==================== Find3M ====================
.
2011-07-05 20:57:58 0 ---ha-w- c:\windows\Jlaquke.bin
2011-06-04 20:46:45 404640 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-01 13:38:01 65536 ---ha-w- c:\windows\system32\spool\prtprocs\w32x86\2814B.tmp
2011-04-28 13:34:50 53816 ---ha-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 22:14:13.90 ===============


the other two are attached...

hopefully i did it correct!

i must congratulate you guys....excellent job.....
very good instructions.....
Attached Files
File Type: zip ark.zip (7.0 KB, 2 views)
File Type: zip attach.zip (2.8 KB, 2 views)

__________________
VincentP is offline  
Old 07-07-2011, 08:53 AM   #2
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.[list]
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

For AVG antivirus and anti-spyware security software users only.
Quote:
Due to recent changes in AVG and how it interacts with CF, AVG must be uninstalled to run ComboFix. You will get a message from CF stating such.

If AVG will not uninstall, it is first recommended to uninstall it with this AppRemover by Opswat. The AVG uninstaller can be downloaded from here > AppRemover.exe Go to their homepage and you will see they have support for removal of other AV's as well AVG appremover tool.
Please post the logs and let me know what problem persists.

__________________
nasdaq is offline  
Old 07-07-2011, 11:56 AM   #3
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4


Quote:
Originally Posted by nasdaq
Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 2[*]Make sure you are connected to the Internet.[*]Double-click on Download_mbam-setup.exe to install the application.[*]When the installation begins, follow the prompts and do not make any changes to default settings.[*]When installation has finished, make sure you leave both of these checked:[*]Update Malwarebytes' Anti-Malware[*]Launch Malwarebytes' Anti-Malware
[*]Then click Finish.[*]MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.[*]On the Scanner tab:[*]Make sure the "Perform Quick Scan" option is selected.[*]Then click on the Scan button.
[*]If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.[*]The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.[*]When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".[*]Click OK to close the message box and continue with the removal process.[*]Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.[*]Make sure that everything is checked, and click Remove Selected.[*]When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)[*]The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.[*]Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
[*]Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

For AVG antivirus and anti-spyware security software users only.

Please post the logs and let me know what problem persists.
Hi NASDAQ.... Thanks for your reply.. I shall do so very soon and let you know how I get along...

I just wanted to ask you about a few things

First, because of the virus, I can't see the desktop. It's a clear grey screen with no icons. I had mentioned this earlier for dds and gmer and it was suggested that I run the programs from a flash drive, which I did. Will it be okay to do the sane for these programs as well? If not, then please advise regarding saving on desktop as currently it seems invisible.

Second, after running the ddr and gmer etc on the infected machine, I noted 4 folders on the stick which seemed out of the blue. I didn't fiddle with them as I didn't know if they were a part of the program. Once I had copied the logs to the stick, I used the stick on my own laptop (acer aspire 6920, windows 7, intel core 2 duo t5750), and the antivirus, Avira, identified 4 viruses, which I promptly deleted.
I had read somewhere that the virus could come in/ reinforce/ reactivate etc in the form of a java update. I keep getting a pop up telling me java update is due. Question: if the java update seems totally legal, could it still harbour the virus? Should I update or avoid? I clicked on the update Next second, (the update hadnt begun) the desktop seemed to go blank for a second, probably slow, bit it reminded me of the virus. So I rebooted in safe mode and am currently running the antivirus. There are 5 detections reported, 7.1% complete, last detection was java/agent.aj.4 ( I hope typing that isn't viral!) so.... What do you think... Update or not?

Last question, I am probably going to need to run most of the programs you recommend through a flash drive. Then save the logs on it and upload them from my clean laptop. How can I keep my laptop safe? It was suggested in this forum earlier to use flash_disibfector. I downloaded it but it wouldn't run. So I don't know how to work it. Is it sufficient to scan everything on the stick with Avira?

Your help is much appreciated. I would love to know your thoughts on these. If there is a way to use my wife's laptop alone to download, run softwares and upload the logs, that would be best. But whichever way you cone up with, I'll go with it.

Thanks again,

Manpreet
__________________
VincentP is offline  
Old 07-08-2011, 05:29 AM   #4
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



This fix should remove the restrictions on the Desktop and your Task Manager.

open a new notepad window and paste the following text into it

Quote:
REGEDIT4

[-HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
then change the "save as type" to "all files" and save it as unlock.reg

double click on the file, and click yes when it asks you if you want to merge the information with the registry.

Reboot normally.

If your desktop is available please execute my previous instructions.

If you stick was infected it probably means that we are dealing with a worm that infects Flash driver.

Post the logs if you can and will pick it up from there.
__________________
nasdaq is offline  
Old 07-08-2011, 11:02 AM   #5
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4


Quote:
Originally Posted by nasdaq
This fix should remove the restrictions on the Desktop and your Task Manager.

open a new notepad window and paste the following text into it

then change the "save as type" to "all files" and save it as unlock.reg

double click on the file, and click yes when it asks you if you want to merge the information with the registry.

Reboot normally.

If your desktop is available please execute my previous instructions.

If you stick was infected it probably means that we are dealing with a worm that infects Flash driver.

Post the logs if you can and will pick it up from there.
Hi... Thanks for your reply....

I did what you told...
Sadly.... The desktop didn't show...

I accessed the desktop from the side menu...
The firefox is gone.... ? Don't know how or where...

Safari is there.... But like a watermark icon.... Faded.... Clicking on it doesn't allow access to the net....

Explorer is there too.... Like a proper icon.... Tried that.... A windows opens... Then shuts.... And that's it....

So no access to net so far.... Will be glad to hear your thoughts....

Manpreet
__________________
VincentP is offline  
Old 07-08-2011, 11:34 AM   #6
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



  • Please download Rootkit Unhooker Save it to your desktop.
    * Now double-click on RKUnhookerLE.exe to run it.
    * Vista/Windows 7 users right-click and select Run As Administrator.
    * Click the Report tab, then click Scan.
    * Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
    * Wait till the scanner has finished and then click File, Save Report.
    * Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
===
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
__________________
nasdaq is offline  
Old 07-10-2011, 04:55 AM   #7
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4



Quote:
Originally Posted by nasdaq View Post
  • Please download Rootkit Unhooker Save it to your desktop.
    * Now double-click on RKUnhookerLE.exe to run it.
    * Vista/Windows 7 users right-click and select Run As Administrator.
    * Click the Report tab, then click Scan.
    * Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
    * Wait till the scanner has finished and then click File, Save Report.
    * Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.
===
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Thanx for the reply. OTL has been downloaded but the rookit unhooker could not be accessed. So could not access the site. Please advise.

On a second thought , I was thinking if installation of a new hard disc in the laptop could resolve the problem or the virus could still remain in the RAM and affect the new hard disc too. Please advise.
__________________
VincentP is offline  
Old 07-10-2011, 06:18 AM   #8
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



Can you run the OTL tool?

Submit the log if available.
__________________
nasdaq is offline  
Old 07-10-2011, 11:38 AM   #9
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4


Quote:
Originally Posted by nasdaq
Can you run the OTL tool?

Submit the log if available.
Sure thing.... Will post it tonight.... Thanks
__________________
VincentP is offline  
Old 07-10-2011, 04:35 PM   #10
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4



Quote:
Originally Posted by VincentP View Post
Sure thing.... Will post it tonight.... Thanks

okay.....here goes......bit of a mess tonight......dont know what you will make of it.......i hope you are a calm personality!!!.......if you have time.....maybe you should get a drink.......this is going to be long!!

problem 1......there is no internet.....so the only way to run the tools was to use flash drives.....and run the scan through that....

problem 2......once the scan is done.....how to post it?......you were right the first time around......it is definately a worm.....it creates a folder on the flash drive as soon as it is inserted.....called recycle.......which seems to be the mother.......and 4 files......called copy to shortcut.......i tried to delete these copy to shortcuts.......but its like an alien replicating program from the movies.......it just replicates and you can never rid of the copy etc files.......trying to delete the mother folder recycle......is not allowed.....it comes up as a window with e red mark etc.....so anyhow......i was stuck with the problem.....i didnt want to infect my clean laptop with this virus.....but had to send you the files.....

now with that in mind,........here is what happenned....

so downloaded the otl on to flash drive....

ran the otl from the flash drive.....

noticed the virus on the flash drive....tried to remove....didnt work....as above.....

the plan a was to try and use the email this file link and attach the logs to it.......send it to some distant friend who works in an it firm.......he can clean the mail.....remove the malware and just send the logs back to me.....and once the clean mail comes back,,.....i can open it on my clean laptop.......and upload the logs onto this post.....

plan a failed.......couldnt get onto the net in any way.....

plab b......print the logs.......the printer cant get infected........so once i have the prints......i can scan them and send to you through my clean printer.....so i did that......and got the logs.....but i made an error there.....
the first scan of the otl was raw.......i mean i didnt tick and untick the options you had instructed to me.......

but anyhow......got the logs printed out....both otl and extras....then realised the error.......made the settings as you had suggested.....then got the result out........but sadly.....it would only generate the the otl.......no extras........so i didnt do anything......i didnt print the second or the third run out.........i hope this all wasnt very wrong etc.....

the computer got slower and slower to respond......froze a few times.....so had to restart etc....each time i restarted.....it would hang up on a window saying explorer.exe wouldnt shut......end now or wait......and each time i pressed end now..........and on one such occasion.......it stopped responding......so i had to shut it down through task mamager.......it restarted and a black screen came up......missing operating system........not knowing what to do......i forced it shut.....

the plan was to call it a day and write to you with the events and logs.....

but i thought i will try and boot once again......see if it is still working.....

when it was booting......i saw the flicker of an option of pressing f4 to restore......which i pressed as a last ditch attempt.....

it restored to a date in 2009.....and booted.......to a normal screen with the desktop.....

but i know from past experience that the virus is lurking in there somewhere waiting to multiply......

but what it allowed me was the access to the net.....which was good....

so i started from the scratch.....

used explorer to download firefox....

used firefox to log in here.....tsf.....

downloaded the dds and gmer.....

ran the two and got the logs.....

also downloaded avira......which i am going to run after i have posted the logs and finished writing to you.....

i do understand that we need to extract the virus so the fight is far from over......

i am planning to run the avira now......i hope thats alright with you.....

then i will shut dowmn......hopefully i will turn it on tomorrow and find it working okay........last time the virus returned in about a week......and i reckon thats the time we have got this time .....prehaps less.....before it strikes back.......so i will work at it......

questions.....

1.do you want me to run otl again......and post you the fresh logs\??

2. do you want me to scan and send you the printout of the otl logs from before the restore?

3. i have now 3 infected flash drives!!......once this is done....perhaps you could help me disinfect them too!!.....

many thanks......let me know the things i did wrong.....or things that you wouldnt do......just for my knowledge......so i can learn.....

thanks again.....

here is the dds log....

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Natalia at 0:46:18 on 2011-07-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.520 [GMT 1:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Samsung\Samsung EDS\EDSAgent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Samsung\Samsung Battery Manager\BatteryManager.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Samsung\Easy Display Manager\dmhkcore.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\SAMSUNG\MagicKBD\PerformanceManager.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\samsung\Samsung Network Manager\SNMWLANService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\igfxext.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Samsung\Samsung Update Plus\SLUTrayNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0\bin\jusched.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [<NO NAME>]
mRun: [EDS] c:\program files\samsung\samsung eds\EDSAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DMHotKey] c:\program files\samsung\easy display manager\DMLoader.exe
mRun: [BatteryManager] c:\program files\samsung\samsung battery manager\BatteryManager.exe
mRun: [MagicKeyboard] c:\program files\samsung\magickbd\PreMKBD.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{36030B22-5785-44BA-BB09-978A000928E4} : DhcpNameServer = 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\natalia\application data\mozilla\firefox\profiles\juzl12zc.default\
.
============= SERVICES / DRIVERS ===============
.
R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-11-12 201288]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [2008-11-12 4300]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-11-12 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-11-12 144704]
R2 SNM WLAN Service;SNM WLAN Service;c:\program files\samsung\samsung network manager\SNMWLANService.exe [2006-10-30 36864]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [2008-1-15 30208]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-11-12 79304]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-11-12 35240]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [2008-11-12 238464]
S2 0108471310340309mcinstcleanup;McAfee Application Installer Cleanup (0108471310340309);c:\windows\temp\010847~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\010847~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2008-11-12 33800]
S3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2008-11-12 40488]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-11-12 695624]
.
=============== Created Last 30 ================
.
2011-07-10 23:24:25 -------- d-----w- c:\windows\system32\SoftwareDistribution
.
==================== Find3M ====================
.
.
============= FINISH: 0:46:54.89 ===============



the other two are attached.....

thanks again
manpreet
Attached Files
File Type: zip ark.zip (5.7 KB, 3 views)
File Type: zip attach.zip (997 Bytes, 1 views)
__________________
VincentP is offline  
Old 07-11-2011, 05:14 AM   #11
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



Run this tool.

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Download and run the ComboFix tool as per post No. 2.

Post the log.

Please let me know what problem persists.
__________________
nasdaq is offline  
Old 07-15-2011, 04:07 PM   #12
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4



Quote:
Originally Posted by nasdaq View Post
Run this tool.

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Download and run the ComboFix tool as per post No. 2.

Post the log.

Please let me know what problem persists.
hi....thanks for the reply.....few busy shifts....

ran the combofix.....

the log is below......let me know what you think.....thanks....

ComboFix 11-07-15.02 - Natalia 16/07/2011 0:50.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.486 [GMT 1:00]
Running from: c:\documents and settings\Natalia\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: avast! Antivirus *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-15 to 2011-07-15 )))))))))))))))))))))))))))))))
.
.
2011-07-15 23:32 . 2011-07-15 23:33 -------- d-----w- c:\program files\CCleaner
2011-07-15 23:28 . 2011-07-15 23:28 -------- d-----w- c:\windows\LastGood
2011-07-11 00:42 . 2005-02-25 03:35 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2011-07-11 00:41 . 2011-07-15 23:49 -------- d--h--w- c:\windows\$hf_mig$
2011-07-11 00:41 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-11 00:41 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-11 00:41 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-11 00:41 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-11 00:41 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-11 00:41 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-11 00:41 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-11 00:41 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-11 00:41 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-07-11 00:41 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-11 00:40 . 2011-07-11 00:40 -------- d-----w- c:\program files\AVAST Software
2011-07-11 00:40 . 2011-07-11 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-10 23:30 . 2011-07-10 23:30 -------- d-----w- c:\documents and settings\Natalia\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 04:32 . 2011-07-10 23:30 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0\bin\jusched.exe" [2008-11-11 36972]
"RTHDCPL"="RTHDCPL.EXE" [2008-08-26 16851456]
"EDS"="c:\program files\Samsung\Samsung EDS\EDSAgent.exe" [2007-12-21 659456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-28 1044480]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"DMHotKey"="c:\program files\Samsung\Easy Display Manager\DMLoader.exe" [2006-12-27 466944]
"BatteryManager"="c:\program files\Samsung\Samsung Battery Manager\BatteryManager.exe" [2008-10-20 2768896]
"MagicKeyboard"="c:\program files\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-15 151552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-04 582992]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-4-1 568176]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/11/2011 1:41 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/11/2011 1:41 AM 309848]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/11/2011 1:41 AM 19544]
R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [11/12/2008 12:36 AM 4300]
R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [1/15/2008 4:01 AM 30208]
R3 VMC326;Vimicro Camera Service VMC326;c:\windows\system32\drivers\VMC326.sys [11/12/2008 12:40 AM 238464]
S2 SNM WLAN Service;SNM WLAN Service;c:\program files\Samsung\Samsung Network Manager\SNMWLANService.exe [10/30/2006 11:29 PM 36864]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSNX
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - AVAST!_ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder
.
2008-11-11 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-11 23:10]
.
2008-11-11 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-11-11 23:10]
.
.
------- Supplementary Scan -------
.
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Natalia\Application Data\Mozilla\Firefox\Profiles\juzl12zc.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-07-16 00:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1020)
c:\windows\system32\btmmhook.dll
.
Completion time: 2011-07-16 01:02:44
ComboFix-quarantined-files.txt 2011-07-16 00:02
.
Pre-Run: 69,241,057,280 bytes free
Post-Run: 69,216,096,256 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 87A88F60BC16C2458E3C4E94DD94CFDF
__________________
VincentP is offline  
Old 07-16-2011, 05:16 AM   #13
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



Your log looks good.

The owner of the USBNoRisk tool gave us the new link for the tool.
Try it.

Download USBNoRisk to your Desktop and run it by double-clicking the program's icon
- wait a couple of seconds for initial scan to be done
- connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
- if there are more USB storage devices to scan, please take a note about the order in which these were connected
- after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum.

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

p.s. Do not run the McAfee and Avast, Virus and Firewall in real time.
This will only slow down your system. Make sure one or the other only is running.

Please let me know what problem persists.
__________________
nasdaq is offline  
Old 07-16-2011, 07:14 AM   #14
Registered Member
 
Join Date: Mar 2011
Posts: 72
OS: Ubuntu 12.4


Thanks a lot.... That's great!!... I clean the flash drives and post the log....

1. Should I run the the flash-drive-cleaning tool on things like the the iPhone etc?

2. The mcafee is going to run out soon, and the avast was downloaded in error. I was intending to download Avira.
The plan is to keep Avira and uninstall these two.... Is that acceptable? Is Avira good enough? Is one antivirus good enough? Does Avira have a firewall and is that adequate? Do I need another firewall?.... Thanks .... Glad to know your views....

3. Is there any way to prevent such infestations in the future...?

4. (this is a general question) sometimes an antivirus brings up a file which it asks to move to quarantine/chest etc..... That's the recommended action.... Once that's done.... Do such files not need to be deleted??

Thanks for your patience... Sorry to be so inquisitive.., just trying to gain as much as I can from this experience...

Manpreet
__________________
VincentP is offline  
Old 07-16-2011, 07:53 AM   #15
Security Team
Analyst
 
Join Date: Apr 2007
Location: Montreal, QC. Canada
Posts: 2,655
OS: Windows 2000 Pro. - Vista SP 2, W7



Should I run the the flash-drive-cleaning tool on things like the the iPhone etc?
As I said in my remarks it may work. Try it.

===

I do not see any Firewall with Avira. Check there site.

I would go with one Company that has a Virus and Firewall protection. If something goes wrong you have only one service to deal with.

===


Quote:
(this is a general question) sometimes an antivirus brings up a file which it asks to move to quarantine/chest etc..... That's the recommended action.... Once that's done.... Do such files not need to be deleted??
Yes quarantine the file. If by any chance it's a false/positive then you can restore the file from the Quarantine folder using the program.

If all is well in a week or two then you can flush/delete the files in the quarantine folder.
===

This is the closing statement we use.

Is there any way to prevent such infestations in the future...?

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

++++

When all is well remove ComboFix. Do not do it just now.


Time for some housekeeping
  • The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bold text into the Run box and click OK:

    ComboFix /Uninstall
__________________
nasdaq is offline  
Old 07-27-2011, 08:24 AM   #16
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,754
OS: XP Win7 Ubuntu 10.10



Since this issue appears resolved, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

Surf Safely, and Think Prevention!

__________________

amateur is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
ALL files hidden. XP REPAIR "16375588.exe"
Hit a nasty link last nite and noticed Java icon pop up in the task bar. Hit Ctrl-Alt-Del to bring up task manager and it said disabled by administrator which is me and I did not do. Soon all files were hidden and only option on screen was "XP Repair" pop up. I only seem to get control in safe...
mrfurrypants Resolved HJT Threads 13 07-07-2011 06:16 PM
Aggravating Google Redirect Virus on Wife's Computer
my wife's laptop suddenly is getting the redirect on google searches. i know this is one of your common problems to fix. i had the same problem on my computer about a year ago and your help was the only way i got rid of it on my computer. this computer runs updated version of webroot securities....
scott1nc Inactive Malware Help Topics 36 04-20-2011 04:27 AM
virus ends all programs, help please
Hello there, the other day whilst not really paying attention I allowed a fishy program to bypass my firewall, and it basically just shuts down any prgrm I open, and opens some fake virus software stuff. Anyways help please, I don't want to buy a new computer yet :grin:
redphase Inactive Malware Help Topics 8 02-25-2011 11:14 AM
Antivira Av - fake AV software, completely hijacked everything
One of my family members has somehow ended up with this on their computer. I wasn't able to follow the instructions in the sticky as it wont let me run anything. DSS amd GMER just got closed as soon as I open them. I can't even open the taskmanager or add/remove programmes. There are a few removal...
parabola50 Virus/Trojan/Spyware Help 9 02-22-2011 10:10 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 11:13 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts