Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Generic Downloader.af


  • Please log in to reply
36 replies to this topic

#1 Speedy_Turtle

Speedy_Turtle

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 10 March 2008 - 08:23 PM

Statistics:
HP Pavilion a375c; 3.00 GHz Intel Pentium 4 with HT; 2.75 GB RAM currently installed. Microsoft Windows XP Home 2002, SP2. Automatically updated.

Microsoft Internet Explorer Version 6.0.2900.2180.xpsp_sp2_gdr.070227-2254, SP2. (IE7 not used, due to incompatibility with an application on intranet for work.) Temporary Internet Files folder emptied when browser is closed. Cookies deleted frequently. History kept for 1 day.

Home networked with spouse’s computer, using a NETGEAR wired router. NAT and SPI are enabled.

DSL connection at 1MBps, with a local ISP.

McAfee 3-User Internet Security Suite (10-in-1), with SiteAdvisor. This is the current version. All protections (except Data Backup) enabled, including real-time scanning. Firewall security setting had recently been changed from tight to standard, as there was trouble accessing certain things. Smart recommendations and startup protection enabled. Also automatically updated.

Other anti-malware installed: Windows Defender, automatically updated; SpywareBlaster, Spybot Search & Destroy, and Ad-Aware SE Personal (now Ad-Aware 2007) – all three updated 2-3 times weekly, and full scans run frequently.

Infection History:
The evening of 01 Feb 2008, McAfee’s real-time scanning engine automatically repaired (removed) two files, SiteAdvisor and ActiveSync, although NO alerts were seen. VirusScan DAT’s had been updated that day.

The morning of 02 Feb 2008, when beginning a Google search, a McAfee alert popped up. The alert said Generic Downloader.af (Trojan), located in SiteAdvisor! Disconnected immediately from the Internet, but it was already too late. (That computer has not yet been reconnected to the Internet.)

Spybot Search & Destroy began popping up warnings, one after the other, of startup options trying to be changed. They included the keyboard, multimedia card reader, Windows Defender, and Recguard. On HP computers, Recguard prevents the deletion or corruption of the WinXP Recovery Partition. These changes were all denied, and msconfig was checked to make sure that the denials had taken, and nothing else had been changed. The computer was then rebooted.

Ran a full manual scan, and McAfee quarantined the following files for the named services:
- Issch.exe, Isuspm.exe, and Ssbkgupdate.exe (all for InstallShield Update Service)
- Kbd.exe, Msascui.exe (Windows Defender), and a registry key (all for Keyboard)
- Shwicon2k.exe, Recguard.exe (Recguard), and two registry keys (all for Multimedia card reader)
- Hpsysdrv.exe (HP Application Recovery)

Plus, the ones from 01 Feb 2008:
- Siteadv.exe, and a registry key (SiteAdvisor)
- Wcescomm.exe (ActiveSync)

Began researching this infection. Downloaded HijackThis (with another computer) and ran a preliminary scan. Some of the entries concerned me, so McAfee was disabled; then several free products were downloaded, manually updated, and run. They included: CCleaner, ATF Cleaner, CWShredder, AVG Anti-Virus, AVG Anti-Spyware, AVG Anti-Rootkit, SuperAntiSpyware, and TrojanHunter. Manual updates have been maintained. Microsoft updates have been done manually, as well.

Windows Defender was uninstalled through Add or Remove Programs, as was Ad-Aware SE Personal. Fresh downloads were installed, with Windows Defender being manually updated.

The following infections were located, although some of them didn’t show up until after several manual updates.

TrojanHunter found:
- TrojanClicker.BHO.124 (2 registry entries) [registry key removed]
- Bandito.121 (in PAFInsight.exe, at 4 locations – 3 users and 1 backup) [quarantined]
- Popuper.101 (in nwsndmsg.exe – on an external drive, in a backup of spouse’s old computer) [quarantined]
- TrojanDownloader.Zlob.566 (in setup.exe for MSBN – Home Networking Setup) [quarantined]
- Agent.2088 (in AutoTbar.exe and autotkit.exe, 4 locations total, including as startup entries) [quarantined]
- KillFiles.169 (in rcviewer.8.7.SP2.exe – LANDesk Remote Control Viewer) [quarantined]

As TrojanDownloader.Zlob.566 is from the SmitFraud family, SmitFraud Fix was downloaded and run in Safe Mode.

Spybot Search & Destroy found:
- DeepDive [removed]

Windows Defender found:
- SoftwareBundler:Win32/MessengerPlus.A (on an external drive – used to help someone move files between
computers) [quarantined, then deleted]

SuperAntiSpyware found:
- several tracking cookies (on an external drive, in backup of spouse’s old computer) [quarantined, then
deleted]

AVG Anti-Spyware found:
- tracking cookie (on an external drive, in backup of spouse’s old computer) [quarantined, then deleted]
- Adware.Minibug (in System Restore, although Weatherbug has never been used – discovered later that it was
installed through RealPlayer) [System Restore was turned off; the infection was quarantined, then deleted;
system was rescanned with all products (several in Safe Mode), computer was rebooted, then System Restore
was turned back on.]

AVG Anti-Virus found:
- Trojan horse Downloader.Generic6.AIGT (in shimgvw.dll [Windows Picture and Fax Viewer], and in
matrix.dll [WinBudget]) [both quarantined, then WinBudget deleted]
Note: had read something that mentioned WinBudget, so searched for it on the computer – it wasn’t
there! – this was several days before it was found, and AVG lists it as a backup file. Where, and in what
configuration was it hiding? Deleting it wasn’t easy. It had been read-only, and protected itself against
changes.

Since the time of the first alert, the expected symptoms of infection haven’t appeared, probably because the computer hasn’t been on the Internet since then.

Perhaps it should be mentioned that I had backed up my entire registry on 01 Feb 2008, at 9:54p.m. Had thought about editing it for a certain program, and then changed my mind. It was forgotten about for quite a while, but is now safely put away in a .zip format. McAfee quarantined the first file at 10:33p.m. that evening. But, SiteAdvisor was the first file alerted on; and even with correct settings, it had not been showing ratings lately; so, had McAfee Virtual Technician check it out on 31 Jan 2008. It said the program needed an update, which it performed.

Concern #1 – McAfee DAT files have been updated for the Generic Downloader.af detection since the time of the quarantines. However, those updates can’t be done manually. Tech support agrees that the registry keys wouldn’t be properly taken care of until the automatic updates are applied.

Concern #2 – The HijackThis log still shows items that worry me.

Concern #3 – The TrojanHunter log shows many files with double extensions, most of which are fine. The others, I’m not so sure about.

There is unwillingness on my part to allow that computer onto the Internet until it is as clean as possible. However, I welcome and will follow your counsel.

The most current HijackThis and TrojanHunter (with names of persons removed) logs, follow:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:36 PM, on 03/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll (disabled by BHODemon)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.familysearch.org
O15 - Trusted Zone: *.familysearchindexing.org
O15 - Trusted Zone: *.lds.org
O15 - Trusted Zone: *.ldscatalog.com
O15 - Trusted Zone: *.ldsces.org
O15 - Trusted Zone: *.ldschurch.org
O15 - Trusted Zone: *.mormon.org
O15 - Trusted Zone: *.lds.netdimensions.com
O15 - Trusted Zone: *.providentliving.org
O15 - Trusted Zone: *.securecontactondemand.com
O15 - Trusted Zone: *.upshot.com
O15 - Trusted Zone: *.upshotonline.com
O16 - DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} -
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} -
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} -
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} - http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} (Microsoft Genuine Advantage Self Support Tool) - http://go.microsoft.com/fwlink/?LinkId=82580
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188102998703
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1188102989953
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtech.com/download/files/w...tall/isetup.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/i...ViewerSetup.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} -
O16 - DPF: {C9712B19-838B-45A5-ABF2-9A315DDDED50} -
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0014-0001-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.5.0_01) -
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} (Java Plug-in 1.5.0_04) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.5.0_07) -
O16 - DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} (Java Plug-in 1.5.0_08) -
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://xlonhcld.xlontech.net/100348/qmpbet...2ie05111501.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} -
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://h30155.www3.hp.com/helpandsupport/SysQuery.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

--
End of file - 14589 bytes

TrojanHunter Scan Report - Saved 2008-03-09 16:39

Warning: Unable to unpack UPX-packed file C:\cmdcons\usbuhci.sy_/usbuhci.sys
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\(removed) User\Desktop\My Download Files\Adobe\AdbeRdr60_enu_full.exe
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\Data Recovery\ADRC Data Recovery Tools\ADRC_Data_Recovery_Tools_v1.0 2.exe
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\My Documents - Work\(removed)\Desktop\Instant Messaging\trillian-v0.74h.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\My Documents - Work\(removed)\Desktop\(removed)\AdbeRdr60_enu_full.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\My Documents - Work\Old D\Downloads\AdbeRdr707_en_US.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\My Download Files\Adobe\AdbeRdr60_enu_full.exe
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Desktop\My Download Files\MY DOWNLOAD on (removed) Computer (removed)\Adobe\AdbeRdr60_enu_full.exe
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\My Download Files\Nero\NMP-1.4.0.35b.exe
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\My Download Files\OpenOffice.org\OpenOffice.org 2.0 Installation Files\openofficeorg4.cab/vclcanvas.uno.dll
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\My Download Files\OpenOffice.org\OpenOffice.org 2.2 Installation Files\openofficeorg4.cab/vclcanvas.uno.dll
Warning: Executable file with double extensions found: C:\Documents and Settings\Owner\Desktop\My Download Files\OpenOffice.org\OpenOffice.org 2.2 Installation Files\openofficeorg4.cab/updchk.uno.dll
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix\GoToAssist\GoToAssist_phone_application_482_en.exe
Error: Directory not found: C:\Documents and Settings\Owner\My Documents\Genealogy for Others\For (removed)\??????? ?????? ?????? ?????? ????????? ????_files
Error: Directory not found: C:\Documents and Settings\Owner\My Documents\Genealogy for Others\For (removed)\??????? ?????? ?????? ?????? ????????? ????_files
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Owner\My Documents\(removed) Admin's Documents\Desktop\My Download Files\Adobe\AdbeRdr60_enu_full.exe
Warning: Unable to unpack UPX-packed file C:\I386\USBUHCI.SY_/usbuhci.sys
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.DEU.dll
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.ENG.dll
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.FRC.dll
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.ITN.dll
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.NTL.dll
Warning: Executable file with double extensions found: C:\Program Files\CMS Peripherals\BounceBack Express\resources.SPN.dll
Warning: Executable file with double extensions found: C:\Program Files\Common Files\Logitech\QCDRV\winnew\elch\lvWIAext.dll.tmp
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Net.dll
Warning: Executable file with double extensions found: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ServiceModel.Web.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\$NtServicePackUninstall$\usbuhci.sys
Warning: Unable to unpack UPX-packed file C:\WINDOWS\$NtUninstallKB822603$\usbuhci.sys
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\LEAD.Drawing.Imaging.Ocr\13.0.0.35__9cf889f53ea9b907\LEAD.Drawing.Imaging.Ocr.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\Microsoft.Ink.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.IO.Log\3.0.0.0__b03f5f7f11d50a3a\System.IO.Log.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Net\3.5.0.0__b03f5f7f11d50a3a\System.Net.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.ServiceModel.Web\3.5.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_6d92ddb7\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_b1e88a78\System.Xml.dll
Warning: Unable to unpack UPX-packed file C:\WINDOWS\I386\USBUHCI.SY_/usbuhci.sys
Warning: Executable file with double extensions found: C:\WINDOWS\Installer\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}\_SHCT_Sprint.exe.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
Warning: Unable to unpack UPX-packed file D:\cmdcons\usbuhci.sy_/usbuhci.sys
Warning: Unable to unpack UPX-packed file D:\MiniNT\system32\drivers\usbuhci.sys
Warning: Unable to unpack UPX-packed file D:\I386\SYSTEM32\drivers\usbuhci.sys
Warning: Unable to unpack UPX-packed file D:\I386\USBUHCI.SY_/usbuhci.sys

The files containing the ???’s are OK. The file names are written in Russian.

Thank you for any help that you can render.
Peace and joy live in our home,
for love there abides.

BC AdBot (Login to Remove)

 


m

#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 18 March 2008 - 01:51 PM

Speedy Turtle

Sorry for the delay.

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#3 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 18 March 2008 - 11:13 PM

Bamajim, thank you for your assistance.

Ran into a little problem.

Installed ComboFix, having first disabled all anti-virus, anti-spyware, and the firewall. The Recovery Console was installed shortly after purchasing the computer.

ComboFix did the following:

- Backed up 11 registry files

- Changed the clock

- Deleted 4 files
1. C:\Program files\outlook\extend.dat
2. C:\setup.exe
3. D:\Autorun.inf
4. C:\Program Files\ outlook

- Completed 43 stages

- Made a statement about itself at the root of the drive

- Rebooted the computer

- Started again, with window stating, "Preparing Log Report. Do not run any programs until ComboFix has finished."

All of the above were expected.

While the log report was still being prepared:

- Other windows appeared:
1. Windows Defender - Application failed to initialize: 0x800106ba...
2. SuperAntiSpyware - splash screen flashed by
3. McAfee Personal Firewall - Balloon at the notification area, "Your computer might be at risk..."
4. Spybot Search & Destroy - Browser search page registry value changed...
5. AVG Anti-Spyware 7.5 error - Connection to service failed. Please reinstall...

- Let these windows sit on the desktop, and Combofix continued to run

- Another window appeared: Windows - No Disk; Exception Processing Message c0000013 Parameters 75b6bf9c 4 75b6bf9c 75b6bf9c (choices offered - Cancel, Try Again, and Continue)

- At this point ComboFix stalled

What is your counsel, please?
Peace and joy live in our home,
for love there abides.

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 07:13 AM

Speedy_Turtle

First, let's see if Combofix produced a log file. It will be located at C:\Combofix.txt (Rt click Start ->> Explore ->> and using the tree of folders on your left locate the file) and if it did produce a log post the results of that log.

If it did not produce a log then Reboot into Safe Mode and Rerun Combofix. Then post the results.
Posted Image
Microsoft MVP - Windows Security

#5 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 09:34 AM

Bamajim, thank you for your reply.

As the Internet is being accessed via a different computer, the screens are still sitting exactly as described previously. Before checking for a CombFix log, which selection should be made on the "Windows - No Disk" dialog box? Cancel, Try Again, or Continue? This seems rather an important selection to me, so I hesitate to choose one of them without guidance. :thumbsup:
Peace and joy live in our home,
for love there abides.

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 09:42 AM

Speedy_Turtle

Does this message occur all of the time or just when you are trying to run Combofix?

If it occurs all of the time, or on boot up, The correct selection would be "Cancel"
Posted Image
Microsoft MVP - Windows Security

#7 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 09:50 AM

Bamajim, thank you for your speedy reply.

This is the first time that message has ever been seen, on any computer I've ever worked with.
Peace and joy live in our home,
for love there abides.

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 09:55 AM

Speedy_Turtle

You are most welcome. It could be a Shell error, but we need to get the PC clean first. Continue with the instructions regarding the Combofix.txt file. And of the rerunning of Combofix in Safe mode as indicated in my previous post
Posted Image
Microsoft MVP - Windows Security

#9 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 10:13 AM

Bamajim, it's nice doing this in real time.

There is a Combofix.txt file located at C:\ComboFix\. The system allows the copying of the file, but not the pasting of it. Besides the "Windows - No Disk" dialog box staying on top of all other windows, a new dialog box has appeared. "Object Packager. Access to the specified device, path, or file is denied (choice offered is OK)."
Peace and joy live in our home,
for love there abides.

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 10:19 AM

Speedy_Turtle

Hmmmm.

Do you have any USB devices plugged into the PC? If so unplug them, reboot and see if the message goes away
Posted Image
Microsoft MVP - Windows Security

#11 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 10:27 AM

Bamajim,

At the moment, there are only 2 USB devices plugged into that computer. The wireless receiver for the mouse and keyboard, and the UPS that the computer is plugged into. Both of those are obviously needed.

What would you like me to do next?
Peace and joy live in our home,
for love there abides.

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 10:32 AM

Bamajim,

At the moment, there are only 2 USB devices plugged into that computer. The wireless receiver for the mouse and keyboard, and the UPS that the computer is plugged into. Both of those are obviously needed.

What would you like me to do next?

UPS? What is that?
Posted Image
Microsoft MVP - Windows Security

#13 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 10:35 AM

Bamajim,

Sorry. I should have been more specific. UPS is the unlimited power supply.
Peace and joy live in our home,
for love there abides.

#14 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 March 2008 - 10:41 AM

Speedy_Turtle

Those USB devices could cause the error

Boot into Safe Mode with networking and see if you are able to Rerun Combofix, and copy and paste the C:\Combofix.txt log.
Posted Image
Microsoft MVP - Windows Security

#15 Speedy_Turtle

Speedy_Turtle
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 19 March 2008 - 11:46 AM

Bamajim,

In trying to close out all the windows before rebooting, some strange things happened.

Done so far:

- Object Packager, clicked OK

- Windows Defender, clicked OK

- Word, tried to close the blank Document 1 (had earlier tried to see if pasting the ComboFix log would work in there) - dialog box appeared with "Word is waiting for another application to complete an OLE action (choices offered - Switch to, Retry, Cancel)." Clicked Cancel; at this point, the Windows Task Manager popped up, and was X'd out of. The Word dialog box will not go away.

- Spybot Search and Destroy, clicked Allow Change, but did not check Remember this decision. The old browser search page had been shown as hxxp://www.microsoft.com/isapi/redir... and the new one was hxxp://go.microsoft.com/fwlink/?Link... I figured that ComboFix was changing it to the currently approved start page.

- Several other Spybot dialog boxes then appeared, in order:
1. Default_Page_URL value; same addresses, made same choice
2. Default_Search_URL value; same addresses, made same choice
3. Search Assistant value; from about:blank to hxxp://ie.search.msn.com...; chose Deny change and Remember this decision - We prefer to start with a blank Internet Explorer page.
4. Customize Search value; same as #3 above
5. SRC Extension handler value changed; Old data: NOTEPAD.EXE %1 New data: "%1" /S This message is a concern, so have not done anything to that dialog box. What should I choose? :thumbsup: My inclination is to deny the change.

By the way, was ComboFix responsible for these anti-malware programs starting again after the reboot? Not only had they been temporarily disabled through their icons in the notification tray, but had used Task Manager to make sure they were all stopped, then disabled them in Services, for good measure. Did not expect them to restart.

Edited by Speedy_Turtle, 19 March 2008 - 11:49 AM.

Peace and joy live in our home,
for love there abides.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users