TechSpot

Various random problems

By quickener
Jun 12, 2010
  1. I have Windows XP with McAfee and received a warning that a trojan had been detected and taken care of. However, since then, programs will only open for a split second then close down, IE will randomly open, lose my sound driver,... So I know something else is wrong. I ran HiJackthis and have attached the log file hoping to get some help.

    Thank you in advance.

    I apologize and didn't attach the requested files from the 8-STEPS. I will do so and attach them.
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,911   +344

  3. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Attached is the Malware file:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4190

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/12/2010 10:40:12 PM
    mbam-log-2010-06-12 (22-40-12).txt

    Scan type: Quick scan
    Objects scanned: 117997
    Time elapsed: 6 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Attached is the GMER file (it is too long to post)

    Here is the DDS file:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Racheal Lee at 7:59:23.87 on Sun 06/13/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2333 [GMT -5:00]

    AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\Ati2evxx.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Documents and Settings\Racheal Lee\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Conime] %windir%\system32\conime.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: intuit.com\ttlc
    DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - hxxp://download.gigabyte.com.tw/object/Dldrv.ocx
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://connect.arinc.com/dana-cached/setup/JuniperSetupSP1.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-6 64288]
    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\ekdiscovery.exe [2010-2-11 300400]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352320]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-9-19 93320]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-19 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-9-19 144704]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-19 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-19 35272]
    S2 0033391270009914mcinstcleanup;McAfee Application Installer Cleanup (0033391270009914);c:\windows\temp\003339~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\003339~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-19 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-19 40552]
    S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-9-19 606736]

    =============== Created Last 30 ================

    2010-06-12 00:17:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-06-12 00:08:54 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
    2010-06-09 07:03:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-06-07 22:41:13 0 d-----w- c:\docume~1\rachea~1\applic~1\Malwarebytes
    2010-06-07 22:41:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-07 22:41:03 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-06-07 22:41:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-06-07 22:41:00 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-06-01 11:07:01 9243 ----a-w- C:\Spellbook.xls
    2010-06-01 11:07:00 19620 ----a-w- C:\Inventory.xls

    ==================== Find3M ====================

    2010-06-12 00:10:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-06-12 00:10:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-10-07 01:37:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091420090921\index.dat
    2009-10-07 01:37:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009100620091007\index.dat

    ============= FINISH: 8:00:58.92 ===============
     

    Attached Files:

  5. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Here is the second DDS file (called "Attach")


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/18/2009 11:36:58 PM
    System Uptime: 6/13/2010 3:44:34 AM (5 hours ago)

    Motherboard: Gigabyte Technology Co., Ltd. | | 7VT600-P-RZ
    Processor: AMD Sempron(tm) 2500+ | Socket A | 1752/167mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 77 GiB total, 47.128 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP194: 3/15/2010 12:12:41 PM - System Checkpoint
    RP195: 3/16/2010 7:38:49 PM - System Checkpoint
    RP196: 3/18/2010 5:06:08 PM - Installed DirectX
    RP197: 3/19/2010 5:43:48 PM - System Checkpoint
    RP198: 3/20/2010 8:01:47 PM - System Checkpoint
    RP199: 3/21/2010 10:32:54 PM - System Checkpoint
    RP200: 3/22/2010 11:16:41 PM - System Checkpoint
    RP201: 3/24/2010 3:22:16 AM - System Checkpoint
    RP202: 3/25/2010 8:08:40 AM - System Checkpoint
    RP203: 3/26/2010 4:29:38 PM - System Checkpoint
    RP204: 3/27/2010 8:06:24 AM - Printer Driver CutePDF Writer Installed
    RP205: 3/28/2010 3:00:17 AM - Software Distribution Service 3.0
    RP206: 3/29/2010 3:00:15 AM - Software Distribution Service 3.0
    RP207: 3/30/2010 7:21:25 AM - System Checkpoint
    RP208: 3/31/2010 3:00:16 AM - Software Distribution Service 3.0
    RP209: 4/1/2010 8:16:25 AM - System Checkpoint
    RP210: 4/2/2010 8:21:54 AM - System Checkpoint
    RP211: 4/3/2010 8:30:56 AM - System Checkpoint
    RP212: 4/4/2010 1:23:25 PM - System Checkpoint
    RP213: 4/5/2010 3:16:52 PM - System Checkpoint
    RP214: 4/6/2010 4:50:08 PM - System Checkpoint
    RP215: 4/8/2010 1:57:16 AM - System Checkpoint
    RP216: 4/9/2010 8:21:40 AM - System Checkpoint
    RP217: 4/10/2010 8:43:23 AM - System Checkpoint
    RP218: 4/11/2010 9:29:31 AM - System Checkpoint
    RP219: 4/12/2010 10:29:31 AM - System Checkpoint
    RP220: 4/13/2010 10:50:22 AM - System Checkpoint
    RP221: 4/14/2010 11:20:43 AM - System Checkpoint
    RP222: 4/15/2010 3:00:15 AM - Software Distribution Service 3.0
    RP223: 4/16/2010 3:23:53 AM - System Checkpoint
    RP224: 4/17/2010 11:02:18 AM - System Checkpoint
    RP225: 4/18/2010 6:55:12 PM - System Checkpoint
    RP226: 4/19/2010 11:21:29 PM - System Checkpoint
    RP227: 4/21/2010 6:31:36 AM - System Checkpoint
    RP228: 4/22/2010 6:59:21 AM - System Checkpoint
    RP229: 4/23/2010 8:08:26 AM - System Checkpoint
    RP230: 4/24/2010 9:20:42 AM - System Checkpoint
    RP231: 4/25/2010 9:58:18 AM - System Checkpoint
    RP232: 4/26/2010 4:20:29 PM - System Checkpoint
    RP233: 4/28/2010 12:06:21 AM - System Checkpoint
    RP234: 4/29/2010 12:58:25 AM - System Checkpoint
    RP235: 4/30/2010 6:51:18 AM - System Checkpoint
    RP236: 5/1/2010 8:44:14 AM - System Checkpoint
    RP237: 5/2/2010 4:56:26 PM - System Checkpoint
    RP238: 5/3/2010 5:28:23 PM - System Checkpoint
    RP239: 5/4/2010 5:58:27 PM - System Checkpoint
    RP240: 5/5/2010 7:33:20 PM - System Checkpoint
    RP241: 5/7/2010 12:01:58 AM - System Checkpoint
    RP242: 5/8/2010 8:59:35 AM - System Checkpoint
    RP243: 5/9/2010 9:58:34 AM - System Checkpoint
    RP244: 5/10/2010 11:23:42 AM - System Checkpoint
    RP245: 5/11/2010 12:31:00 PM - System Checkpoint
    RP246: 5/12/2010 3:00:14 AM - Software Distribution Service 3.0
    RP247: 5/13/2010 3:11:03 AM - System Checkpoint
    RP248: 5/14/2010 4:11:04 AM - System Checkpoint
    RP249: 5/15/2010 8:32:56 AM - System Checkpoint
    RP250: 5/17/2010 8:26:48 AM - System Checkpoint
    RP251: 5/18/2010 9:50:37 AM - System Checkpoint
    RP252: 5/19/2010 10:11:03 AM - System Checkpoint
    RP253: 5/20/2010 10:11:12 AM - System Checkpoint
    RP254: 5/21/2010 3:21:34 PM - System Checkpoint
    RP255: 5/22/2010 4:11:15 PM - System Checkpoint
    RP256: 5/23/2010 6:20:51 PM - System Checkpoint
    RP257: 5/24/2010 6:22:13 PM - System Checkpoint
    RP258: 5/26/2010 3:00:15 AM - Software Distribution Service 3.0
    RP259: 5/27/2010 6:44:07 AM - System Checkpoint
    RP260: 5/28/2010 7:30:20 AM - System Checkpoint
    RP261: 5/29/2010 8:06:06 AM - System Checkpoint
    RP262: 5/30/2010 4:28:53 PM - System Checkpoint
    RP263: 6/1/2010 6:35:07 AM - System Checkpoint
    RP264: 6/2/2010 7:11:20 AM - System Checkpoint
    RP265: 6/3/2010 4:41:58 PM - System Checkpoint
    RP266: 6/5/2010 12:52:19 AM - System Checkpoint
    RP267: 6/6/2010 8:56:50 AM - System Checkpoint
    RP268: 6/8/2010 2:08:02 PM - System Checkpoint
    RP269: 6/9/2010 3:42:40 PM - System Checkpoint
    RP270: 6/10/2010 3:57:08 PM - System Checkpoint
    RP271: 6/11/2010 5:00:39 PM - System Checkpoint
    RP272: 6/12/2010 9:03:18 PM - Removed HiJackThis

    ==== Installed Programs ======================


    4 Elements
    Acrobat.com
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.3.2
    aiofw
    aioprnt
    aioscnnr
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Display Driver
    Bonjour
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center HydraVision Full
    Catalyst Control Center Localization All
    ccc-core-preinstall
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    CCleaner
    center
    Chuzzle Deluxe
    CutePDF Writer 2.6
    Disney Toontown Online
    EverQuest: The Anniversary Edition
    Google Toolbar for Internet Explorer
    Guild Wars
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iSEEK AnswerWorks English Runtime
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    JumpStart World Presents Pet Playground
    Juniper Networks Host Checker
    Juniper Terminal Services Client
    KODAK AiO Home Center
    ksDIP
    Legends of Norrath
    Magelo Sync (uninstall only)
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Office 2000 Professional
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    PreReq
    QuickTime
    Realtek AC'97 Audio
    Realtek High Definition Audio Driver
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Sid Meier's Civilization 4
    Skins
    Skype web features
    Skype™ 4.1
    Spybot - Search & Destroy
    TurboTax 2009
    TurboTax 2009 WinPerFedFormset
    TurboTax 2009 WinPerReleaseEngine
    TurboTax 2009 WinPerTaxSupport
    TurboTax 2009 wokiper
    TurboTax 2009 wrapper
    Ulead PhotoImpact 6
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Rhine-Family Fast Ethernet Adapter
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    Web Games Player Plugin
    WebFldrs XP
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    Wizard101

    ==== Event Viewer Messages From Past Week ========

    6/9/2010 9:04:21 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    6/9/2010 9:04:21 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    6/7/2010 6:44:12 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    6/7/2010 4:39:41 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    6/13/2010 3:44:03 AM, error: Service Control Manager [7024] - The Java Quick Starter service terminated with service-specific error 1 (0x1).
    6/12/2010 9:03:24 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    6/12/2010 7:18:54 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 3 time(s).
    6/12/2010 5:26:16 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 2 time(s).
    6/12/2010 5:19:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
    6/12/2010 5:19:48 AM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/12/2010 5:19:47 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    6/12/2010 2:01:30 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 4 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7034] - The Kodak AiO Network Discovery Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee SystemGuards service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Run the configured recovery program.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    6/12/2010 10:08:21 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    6/12/2010 10:08:10 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    6/12/2010 1:15:46 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    When I said to follow ALL steps, I meant all steps. Your Java version is still outdated.

    Verify your Java version here: http://www.java.com/en/download/installed.jsp
    Update, if necessary.
    Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

    ========================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I am following the steps exactly but ran into a snag - I cannot access the windows update site. When I try to access it, it says "Internet Explorer cannot display the webpage". I reset the Tools -> Internet Options -> Security to default and still nothing. Any ideas as to what do about this?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Don't worry about those for now. Follow steps from my previous reply.
     
  9. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Not sure what I'm doing wrong...
    I first try to download ComboFix and at 99%, McAfee pops ups and says it's detected and taken care of of an Artemis Trojan. So, I disable as much of the McAfee settings as I can. Then I am able to download ComboFix. When I run it, it goes thru everything normally it seems; it gets to the AutoScan where it is searching for infected files. After about 30 seconds to 1 minute, the computer restarts. At that point, I double click ComboFix again and it goes thru the same steps and restarts at the same point. I looked but couldn't find any ComboFix log file.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Delete your Combofix file.
    Download fresh copy, but rename combofix.exe to broni.com BEFORE saving it to your desktop.
    Do not run it yet.


    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe


    • * Double-click on the Rkill desktop icon to run the tool.
      * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
      * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
      * If not, delete the file, then download and use the one provided in Link 2.
      * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
      * Do not reboot until instructed.
      * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.


    • * Please download exeHelper from Raktor to your desktop.
      * Double-click on exeHelper.com to run the fix.
      * A black window should pop up, press any key to close once the fix is completed.
      * A log file named log.txt will be created in the directory where you ran exeHelper.com
      * Attach the log.txt file to your next message.

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now double click on broni.com to run Combofix.
     
  11. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Same issue is occuring - once ComboFix (renamed broni.com) is running and looking for infected files, it restarts the computer. Clicking on ComboFix again repeats the issue. I was able to get both Rkill.com and exeHelper to work (once I disabled antivirus). I have attached both log files.
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Restart computer in safe mode and try all 3 steps (rKill, exehelper and broni.com) again.
     
  13. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I ran rkill, exeHelper, then ComboFix - which I was finally able to do in Safe Mode. The log files are attached.

    Actually, I can't attach the files until the other thread is gone because it won't let me upload the log files since they are uploaded in the other thread.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I just removed attachments from your other post.
    You may need to reload page before trying to attach them here.
     
  15. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Excellent. Here are the log files.
     

    Attached Files:

  16. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    I don't see much there.
    What are the current issues?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\documents and settings\Racheal Lee\Local Settings\Application Data\fnfhbwbxi
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=-
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  17. quickener

    quickener TS Rookie Topic Starter Posts: 49

    The issues I'm having is that IE will try to randomly open to ad sites - I close IE before the site loads.

    Attached is the ComboFix file. Again, I had to run in Safe Mode to get it to work. In normal mode, ComboFix will start then restart the computer before it really does much, as I described a bit in an earlier post.
     

    Attached Files:

  18. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
  19. quickener

    quickener TS Rookie Topic Starter Posts: 49

    It ran fine and attached is the log file. It seems it may have found something.
     

    Attached Files:

  20. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    How is redirection now?

    Please, re-run TDSSKiller and post new log.
     
  21. quickener

    quickener TS Rookie Topic Starter Posts: 49

    Things seem to be running better and haven't had any redirection as of yet. As I use it more tonight, I will definitely found out better if the problems seems to be solved.

    New log is attached.
     

    Attached Files:

  22. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Very good :)

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ====================================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  23. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I did as you instructed and posted the two files you requested. The only concern I have is that when ComboFix was basically done installing, I noticed my McAfee popped up and warned about registry changes. The first change I allowed assuming it was for ComboFix and the second change I denied thinking it may not be for ComboFix - I quickly needed to disable the McAfee registry guard; I had everything else disabled and guess I forgot that part of McAfee. So I'm not sure if I messed up the registry.
     

    Attached Files:

  24. Broni

    Broni Malware Annihilator Posts: 52,911   +344

    Uninstalling?
     
  25. quickener

    quickener TS Rookie Topic Starter Posts: 49

    I apologize - I meant uninstalling.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...