BleepingComputer.com: win 32 malware gen threat & "blue screen of death"

Look for a good restore point just before you have executed theultimate defrag 2008.

I tried 3 consecutive restore points going back from when I did the defrag. All of them failed after a long attempt to restore. The message I got just said something like, "This restore point wasn't able to restore. No changes were made to your computer".

I also ran ESET again and it found something once again, then the system froze before I could save the log, but it was something about a full dvd converter file. The other one was a dvd ripper, wasn't it? It was in temp internet files so I made sure I cleared all of those out even after ESET may or may not have been able to delete whatever it found. All of the temp files deleted except for one and it was a dvd converter url. I couldn't get rid of that one, it's locked in I guess.

Any other suggestions?

Thanks,
Angi C

All of the temp files deleted except for one and it was a dvd converter url. I couldn't get rid of that one, it's locked in I guess.

Look at the properties of the folder. Remove all the attibutes. Can you now delete it?


Remove this folder c:\windows\CSC\d6 was a false positive.
It must be restored.


Please update the ComboFix tool. Just run the tool and you should be prompted to update.
This new version will no longer target that folder.
Close the ComboFix.

Open notepad and copy/paste the text in the quote box below into it:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\windows\CSC\

Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what problem persists.

I attempted the update to combofix when prompted and looked away for a moment, then when I looked back at the screen, there was nothing happening. It wasn't running. I wasn't sure what had happened but there was no log on the desktop so I tired to run it again. It got as far as the window where things were "extracting", then firefox and it closed down. I then tried creating the notebook file and dragging onto combo fix as you requested above, and the same thing happened again. My virus program was disabled.

Also, you asked "Look at the properties of the folder. Remove all the attibutes. Can you now delete it?".

Nope. Under properties, it only had a general tab with:

file name - http://www.full-dvd-rippURL /
size - 1002 bytes
cache name - 2SDR52GP/
expires - none
last modified - 8/19/2011
last accessed - 11/27/2011


No attributes to check or uncheck, only "ok" and "cancel" at the bottom.


EDIT:
Pretty sure this log popped up after I wrote the above about the seeming problems with CF.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Angi at 11:47:33 on 2011-12-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.55 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Antivirus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\3DO\update_check.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
uRun: [<NO NAME>]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Upgrade_Client] c:\program files\3do\update_check.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IMJPMIG8.1] c:\windows\ime\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
dRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
dRun: [LClock] c:\program files\lclock\LClock.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{75A2B0D9-5143-4D47-B030-29E6EC025DDF} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\angi\application data\mozilla\firefox\profiles\esatl8mj.default\
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-2-28 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-19 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-7-18 123264]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-19 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-19 44768]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\mpfilter.sys --> c:\windows\system32\drivers\MpFilter.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-13 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-9-16 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-13 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-19 22216]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2010-3-25 120232]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 XDva390;XDva390;\??\c:\windows\system32\xdva390.sys --> c:\windows\system32\XDva390.sys [?]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-19 366152]
.
=============== Created Last 30 ================
.
2011-11-20 05:11:25 -------- d-----w- c:\documents and settings\angi\application data\SUPERAntiSpyware.com
2011-11-20 05:10:11 -------- d-----w- c:\documents and settings\all users.windows\application data\!SASCORE
2011-11-20 05:10:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 18:42:57 -------- d-----w- c:\documents and settings\angi\application data\Malwarebytes
2011-11-19 18:42:46 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-11-19 18:42:40 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-19 18:42:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-18 00:18:07 -------- d-----w- c:\program files\ESET
2011-11-13 11:55:47 -------- d-sh--w- c:\documents and settings\angi\PrivacIE
.
==================== Find3M ====================
.
2011-11-05 02:15:58 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 17:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 17:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 17:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 11:49:52.90 ===============

This post has been edited by angicx: 21 December 2011 - 11:24 PM

Also, you asked "Look at the properties of the folder. Remove all the attibutes. Can you now delete it?".

Nope. Under properties, it only had a general tab with:

file name - http://www.full-dvd-rippURL /
size - 1002 bytes
cache name - 2SDR52GP/
expires - none
last modified - 8/19/2011
last accessed - 11/27/2011

Leave this folder alone. It must be needed by a tool you use. Not familiar with this.
===

Change my previous CmboFix script for this one. I do not think that a back slash is required at the end.

DEQUARANTINE::
C:\Qoobox\Quarantine\C\windows\CSC

Run ComboFix with the this script a previously requested.

Whelp I've tried more than once to run CF as instructed and it shuts down the internet, then after the deletions and extractions the window just disappears. No log, no anything.

I apologize for this but I gave you again some bad instructions.
I have been fighting a bad cool and have have problems concentrating for the last few days. I do no want to keep you alone.

This is the folder that was deleted in post No. 7
c:\windows\CSC\d6
To restore it the script must be this.

DEQUARANTINE::
C:\Qoobox\Quarantine\C\windows\CSC\d6

Remove the current script.txt files presently on your desktop and create an other one with the above script.
Refer to post 18 and proceed with the instructions with the text in bold above.

Keep me posted.

No, that's quite alright, I appreciate you trying to help while not feeling well!

I'm sorry this has been so much trouble, but it looks as if it continues.

I ran CF with the new script as instructed in post #18. It did as before. It ran for a about a minute and then the window closed. No resultant log. Maybe the folder was restored successfully but I don't know.

This post has been edited by angicx: 24 December 2011 - 05:04 PM

I brought my laptop with me somewhere and it has frozen up in route. I hit the power button to reboot and now it is stuck on the beginning reboot screen where it only has the acer logo and "press <F2> to enter set up", at the bottom of the screen, along with a progress load bar at the bottom right. It's stuck about 3/4's of the way through. If I power off and back on, it has the same exact screen as when I powered off. Is there anyway to reset this? Do you think waiting for it to charge down and power off automatically will work?
Thanks. (please note that the previous post to this one is a new reply also.)

EDIT: Disregard this, It booted up once the battery ran down and I plugged it back up. All the other issues remain however.

This post has been edited by angicx: 24 December 2011 - 06:54 PM

Lets check if the operating files are of the correct version.

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

It said that some Window's files have been replaced with unrecognized versions. I don't have my Windows disc. Is that the only way to move forward with dealing with this computer's problems?

Thanks, Angi c

I suspected something like this.

You can probably find a CD for your Microsoft Windows XP Professional version.

What is the manufacturer's name of this computer.
The model will also help.

It's an Acer Aspire 3690-2050.... I think. I bought it second hand from a friend though. If there's nothing else that can be done at this time (without a disc), then I will see if the friend still has the one that came with the laptop before I got it. Thanks so much for trying to help.

Quote

That would be great if you friend still had the original disk.

If you you can contact Acer support at: http://support.acer.com/us/en/default.aspx
Find out how much they would charge for a replacement disk.

The programs and drivers for this type of computer are very specific to the model so not much we can do to replace the non version reported by scandisk.

Ok, I'll see what I can find out and get back with you if I can get a disc. Thanks so much for all your help and time.