[Harvey25]

Hello,

I have some kind of virus or malware I believe. I can not open programs such as McAfee or Malware Bytes Anti-Malware. In addition, IE does not always open for me. Sometimes I will hear audio from random advertisements when nothing is opened.

This occured not too long after a windows update which included a newer version of IE. I'm not sure if this has anything to do with the problem.

I went through the instructions and tried downlading and opening GMER from both sources however was unable to open the program and run it. Please adivse. The other logs are below.

Thank you in advance for your help.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Alex at 16:28:33.85 on Tue 12/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.244 [GMT -5:00]

AV: AntiMalware *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alex\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alex\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240627940718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-30 93320]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-30 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-30 144704]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-30 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-25 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-25 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-25 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-25 40552]

=============== Created Last 30 ================

2009-12-08 04:42:45 196 ----a-w- c:\windows\system32\srcr.dat
2009-12-06 16:39:43 0 d-sh--w- c:\documents and settings\alex\IECompatCache
2009-12-06 04:54:34 0 d-sh--w- c:\documents and settings\alex\PrivacIE
2009-12-06 04:01:57 0 d-sh--w- c:\documents and settings\alex\IETldCache
2009-12-06 03:46:57 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-12-06 03:46:29 0 d-----w- c:\windows\ie8updates
2009-12-06 03:46:06 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-12-06 03:46:00 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-06 03:43:44 0 dc-h--w- c:\windows\ie8
2009-12-05 16:29:08 0 d-----w- C:\2cd0c1aff166c6ca6ee0e37645
2009-12-05 14:52:50 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat
2009-12-05 03:56:43 0 d-----w- c:\windows\system32\XPSViewer
2009-12-05 03:55:19 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-05 03:55:19 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-05 03:55:19 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-05 03:55:19 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-05 03:55:19 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-05 03:55:18 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-05 03:55:18 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-05 03:55:18 0 d-----w- C:\fa8677daeb93a79178c05a
2009-12-03 03:28:27 0 d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-03 03:26:13 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-12-02 22:03:09 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 22:02:42 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx
2009-12-02 21:35:18 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 21:01:33 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 21:01:33 215920 ----a-w- c:\windows\system32\muweb.dll
2009-12-02 21:01:33 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-12-02 21:01:31 0 d-----w- c:\windows\system32\SoftwareDistribution

==================== Find3M ====================

2009-12-03 21:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-06 20:36:16 23120 ----a-w- c:\windows\fonts\boston.ttf
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-05-21 23:01:41 1603760 ----a-w- c:\program files\Paint.NET.3.36.zip
2009-08-29 18:41:07 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-08-29 18:41:07 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-29 18:41:07 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 16:29:44.18 ===============

 

[Harvey25]

Bump...
Thanks in advance for your help.

Also, Windows says I have updates I need to install and then to reboot. I'm not sure if these are legit notifications so I have been closing out of them.

 

[Ried]

Hello Harvey,

Let's hold off on the updates until we see what's going on here. Delete your existing gmer.exe and download it again from here.

Try again to run the scan as outlined in our pre-posting topic:

• An initial scan will automatically begin.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

In the right panel, you will see several boxes that have been checked. Uncheck the following ...

• Sections
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark.txt in your next reply

 

[Harvey25]

That link worked however when I ran it, it froze up. I tried closing it through the control panel but that didnt work so I sut down and am rebooting that computer. I will try again. Thanks for your help.

 

[Harvey25]

Like I said, I had to shut down and now I can not get it to start back up...

 

[Ried]

Please describe in detail what happens when you try to start the system. Also, have you tried to boot into Safe Mode, or Last known good configuration?

 

[Harvey25]

I'm able to boot up and log on fine now. Im not sure what the deal was before. I tried to run the program several more times. Every time however it seemed to stall before completion. If I hit anything it would freeze up. Unless some items take a long time to scan and the entire process takes over an hour I think something is not working right. Thanks.

 

[Harvey25]

After running the scan many times, I finally got it to complete a full scan in safe mode. Results are attached. Things seem worse now. It took me forever and lots of restarting to be able to get on the internet to post this. Hopefully the scan found the source of the problems. Thanks.

 

[Ried]

Based on the trouble you've been having getting gmer to run through the full scan, this is not going to be easy. All I can say is keep trying to get gmer to do the full scan - if you cannot, then the alternatives are:

- Obtain an XP install disc so we can load the Windows Recovery Console and work in that area where the OS is not loaded

- Reformat and reinstall the OS.



You'll need to run gmer's full scan. After the initial scan, it might help to uncheck these before clicking 'Scan'. (it's a bit different than the pre-posting instructions)

• Devices
• Sections
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

Then click the Scan button & wait for it to finish. Do not close gmer!

Look for this line (it should be in red) and click it once to highlight it.

Click the Disable service button

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRTtufyxewlgi.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

Next, look for the following file. Single click click the Kill button. (do not click Delete)

File C:\WINDOWS\system32\drivers\H8SRTtufyxewlgi.sys 39936 bytes executable <-- ROOTKIT !!!

Reboot and run Malwareybytes Anti Malware. (it should run now)

Once the program has loaded, select Perform Full scan, then click Scan.

• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Please run a new scan with dds.scr and post the dds.txt as well.

 

[Harvey25]

I posted a full GMER scan as an attachment in my previous post. Do I still need to follow those steps from your last post?

 

[Ried]

Yes, you need to run gmer again - full scan. Read the above directions again carefully.

I'm giving you instructions on how to fix this using the gmer tool. In order to fix the exact entries I showed you above, you have to have gmer showing them-they cannot be fixed via a script for gmer.