Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans, PC resets when full-scan anti-virus or anti-malware is run


  • This topic is locked This topic is locked
90 replies to this topic

#1 AdamLinn13

AdamLinn13

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 16 January 2009 - 10:52 PM

Running Windows XP, Home Edition, Version 2002, Service Pack 3, MSI Motherboard, 512MB Ram, Pentium 4 - 2.4GHz CPU.
I used to have Spybot, but after some point whenever I tried to run it the computer would reset. Now, I've gotten a few messages from Windows Defender that there is a trojan on the computer. I can run a quick scan and remove what shows up, but when I try to run a full scan, the computer resets. I try to scan the computer with McAfee anti-virus, I can run a quick scan no problems, but when I try to run a full scan, the computer resets. I know there is at least 1 trojan/virus, but any program I try to run to get rid of the problem makes the computer reset. The latest software I installed is a-squared, and I can do a quick scan and find/fix a few problems, but when I do a full scan (in safe mode as administrator) a message pops up saying that the computer is going to shut down, NT AUTHORITY/SYSTEM.

Please help before I tear out what's left of my hair.

Pasted and attached.
DDS.txt
============

DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by Administrator at 22:34:33.51 on Fri 01/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.175 [GMT -5:00]


============== Running Processes ===============

C:\WINXP\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINXP\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINXP\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINXP\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Documents and Settings\Administrator.LWO-K2SMEWQE1YI.001\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWindow Title = Windows Internet Explorer provided by Comcast
mWinlogon: Userinit=c:\winxp\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CMVideoPlugin Class: {08dea348-f510-45fd-a6ec-cf3be0917c5e} - c:\winxp\system32\CMVideo.dll
BHO: : {1cb20bf0-bbae-40a7-93f4-6435ff3d0411} - c:\progra~1\crawler\toolbar\ctbr.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Crawler Toolbar: {4b3803ea-5230-4dc3-a7fc-33638f3d3542} - c:\progra~1\crawler\toolbar\ctbr.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\winxp\system32\ctfmon.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winxp\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winxp\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Framework Windows] frmwrk32.exe
mRun: [Rrokuwip] rundll32.exe "c:\winxp\Gxizahopira.dll",e
mRun: [Ngewok] rundll32.exe "c:\winxp\exufijocifalut.dll",e
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\crawler\toolbar\ctbr.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winxp\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.001\applic~1\mozilla\firefox\profiles\je8oz486.default\
FF - component: c:\program files\crawler\toolbar\firefox\components\xcomm.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xshared.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xsupport.dll
FF - component: c:\program files\crawler\toolbar\firefox\components\xwsg.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np-mswmp.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np_gp.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\np32dsw.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdeploytk.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npdivx32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npLegitCheckPlugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\progra~1\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npnul32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPOFF12.DLL
FF - plugin: c:\progra~1\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {BB7AD1CF-D3DB-4529-8354-6FA9F688D5DC} - c:\winxp\system32\config\systemprofile\local settings\application data\{bb7ad1cf-d3db-4529-8354-6fa9f688d5dc}\
FF - HiddenExtension: XUL Cache: {E8D7ABCC-44E6-468C-BDCD-73452A41484E} - c:\documents and settings\laura.lwo-k2smewqe1yi\local settings\application data\{E8D7ABCC-44E6-468C-BDCD-73452A41484E}
FF - HiddenExtension: XUL Cache: {B46930CC-A267-49F3-901E-C28226862E7A} - c:\documents and settings\adam.lwo-k2smewqe1yi\local settings\application data\{b46930cc-a267-49f3-901e-c28226862e7a}\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 mfehidk;McAfee Inc. mfehidk;c:\winxp\system32\drivers\mfehidk.sys [2009-1-6 201320]
S3 mcsysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-6 695624]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\winxp\system32\drivers\mfeavfk.sys [2009-1-6 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\winxp\system32\drivers\mfebopk.sys [2009-1-6 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\winxp\system32\drivers\mferkdk.sys [2009-1-6 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\winxp\system32\drivers\mfesmfk.sys [2009-1-6 40488]
S3 p17filt;p17filt;c:\winxp\system32\drivers\p17filt.sys [2006-3-20 1452032]
S4 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2009-1-16 419448]
S4 ccsetmgr;ccsetmgr; [x]
S4 mcproxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-6 359248]
S4 mcshield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-1-6 144704]

=============== Created Last 30 ================

2009-01-16 22:18 664 a------- c:\winxp\system32\d3d9caps.dat
2009-01-16 20:46 <DIR> --d----- c:\documents and settings\Administrator.LWO-K2SMEWQE1YI.001
2009-01-16 20:26 <DIR> --d----- c:\program files\a-squared Free
2009-01-16 20:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 20:20 120 a------- c:\winxp\CIS_Setup_3.5.57173.439_XP_Vista_x32.INI
2009-01-16 20:16 <DIR> --d----- C:\Software
2009-01-16 07:02 125,440 a------- c:\winxp\system32\ntdll64.exe
2009-01-16 06:55 133,120 a------- c:\winxp\exufijocifalut.dll
2009-01-16 06:42 41,984 a------- c:\winxp\system32\chert5-998.exe
2009-01-13 11:28 <DIR> --d----- C:\b71c6535e5745faeb93274b60c5c4da7
2009-01-12 19:45 122,368 a------- C:\updateMe.exe
2009-01-12 12:44 491 a------- c:\winxp\system32\win32hlp.cnf
2009-01-12 12:43 4,785 a------- c:\winxp\system32\warning.gif
2009-01-12 12:43 1,347 a------- c:\winxp\system32\ahtn.htm
2009-01-12 12:43 1 a------- c:\winxp\system32\uniq.tll
2009-01-12 12:43 1 a------- c:\winxp\system32\test.ttt
2009-01-12 12:43 31,232 a------- c:\winxp\system32\frmwrk32.exe
2009-01-12 12:43 31,232 a------- c:\winxp\system32\pcload.exe
2009-01-10 22:32 <DIR> --d----- c:\program files\CMVideoPlugin
2009-01-09 22:12 <DIR> --d----- c:\program files\FinalUninstaller
2009-01-09 21:11 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\Innovative Solutions
2009-01-09 21:10 <DIR> --d----- c:\program files\Innovative Solutions
2009-01-08 21:26 102,164,108 a------- C:\backup-1-8-09.reg
2009-01-08 11:57 151,552 a------- c:\winxp\system32\CMVideo.dll
2009-01-06 19:27 9,609 a------- c:\winxp\system32\Config.MPF
2009-01-06 19:24 143,360 a------- c:\winxp\system32\dunzip32.dll
2009-01-06 19:14 33,832 a------- c:\winxp\system32\drivers\mferkdk.sys
2009-01-06 19:14 40,488 a------- c:\winxp\system32\drivers\mfesmfk.sys
2009-01-06 19:14 35,240 a------- c:\winxp\system32\drivers\mfebopk.sys
2009-01-06 19:14 201,320 a------- c:\winxp\system32\drivers\mfehidk.sys
2009-01-06 19:14 79,304 a------- c:\winxp\system32\drivers\mfeavfk.sys
2009-01-06 19:14 113,952 a------- c:\winxp\system32\drivers\Mpfp.sys
2009-01-06 19:12 <DIR> --d----- c:\program files\McAfee.com
2009-01-06 19:11 <DIR> --d----- c:\program files\common files\McAfee
2009-01-06 19:11 <DIR> --d----- c:\program files\McAfee
2009-01-04 21:17 441 a------- c:\winxp\system32\TDSSblat.dat
2009-01-04 20:17 14,019,205 a------- c:\winxp\avc-free.exe
2009-01-02 11:35 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-02 11:35 <DIR> --d----- c:\docume~1\alluse~2.win\applic~1\Symantec
2009-01-01 15:51 <DIR> --d----- c:\program files\Any Video Converter
2009-01-01 14:59 <DIR> --d----- c:\program files\SlySoft
2008-12-30 18:54 12,398,524 a------- C:\smartftp.reg
2008-12-27 23:15 <DIR> --d----- c:\program files\Xilisoft
2008-12-27 23:09 16,512 a------- c:\winxp\system32\drivers\ASPI32.SYS
2008-12-18 07:39 410,984 a------- c:\winxp\system32\deploytk.dll

==================== Find3M ====================

2009-01-08 12:58 9,216 ac-sh--- c:\program files\Thumbs.db
2009-01-04 21:16 264,704 a------- C:\ivalj.exe
2009-01-04 21:16 122,368 a------- C:\vneb.exe
2008-12-11 05:57 333,952 a------- c:\winxp\system32\drivers\srv.sys
2008-12-11 01:27 45,056 a------- c:\winxp\system32\wnaspi32.dll
2008-12-03 19:52 38,496 a------- c:\winxp\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 a------- c:\winxp\system32\drivers\mbam.sys
2008-10-23 07:36 286,720 a------- c:\winxp\system32\gdi32.dll
2005-10-28 11:54 33 a------- c:\program files\Adobe Photoshop Cs2 Serial.txt
2005-03-21 16:41 12,793 a----r-- c:\program files\How To Install.html
2005-02-25 17:37 157,035 a----r-- c:\program files\LegalNotices.pdf
2005-02-24 19:30 13,842 a----r-- c:\program files\Activation Read Me.html
2005-02-23 14:24 2,773 a----r-- c:\program files\Read Me First.html
2005-02-22 16:32 2,723,276 a----r-- c:\program files\Photoshop New Features.pdf
2005-02-22 16:31 142,049 a----r-- c:\program files\Photoshop At A Glance.pdf
2005-02-04 14:01 625 a----r-- c:\program files\Setup.exe.manifest
2004-08-11 00:09 126,976 a----r-- c:\program files\epic_eula.dll
2004-07-03 06:44 4,996 a------- c:\program files\versions.dat
2004-06-24 16:10 12,164 a------- c:\program files\plugins.htm
2004-06-16 23:36 49 a----r-- c:\program files\AUTORUN.INF
2003-07-11 08:41 177 a------- c:\program files\Read First.txt
2003-04-21 04:39 245,408 a----r-- c:\program files\unicows.dll
2001-12-30 16:32 1,961,994 a------- c:\program files\XP_up_Platinum.exe
2001-12-30 16:31 5,884,318 a------- c:\program files\Ecdc502c_up.exe
2001-05-15 10:39 760,175 a------- c:\program files\ecdc5_01s.exe
2001-05-03 07:45 5,420,855 a------- c:\program files\ecdc_v501_up.exe
2001-03-25 15:59 190,176 a----r-- c:\program files\Easy Cd 5 Keygen.exe

============= FINISH: 22:34:54.96 ===============

HijackThis log
===========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:25 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Safe mode with network support

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINXP\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINXP\system32\ctfmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINXP\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CMVideoPlugin - {08DEA348-F510-45FD-A6EC-CF3BE0917C5E} - C:\WINXP\system32\CMVideo.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Rrokuwip] rundll32.exe "C:\WINXP\Gxizahopira.dll",e
O4 - HKLM\..\Run: [Ngewok] rundll32.exe "C:\WINXP\exufijocifalut.dll",e
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170470688780
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINXP\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINXP\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Lexmark International, Inc. - (no file)
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (mcnasvc) - Unknown owner - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (file missing)
O23 - Service: McAfee Scanner (mcods) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (mcproxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (mcshield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (mcsysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (mpfservice) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe

--
End of file - 7832 bytes


Thank you for ANY help with this.
Adam

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 17 January 2009 - 09:09 AM

Hello AdamLinn13

Welcome to Bleeping Computer. :thumbup2:
=====================

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R3 - Default URLSearchHook is missing
O2 - BHO: CMVideoPlugin - {08DEA348-F510-45FD-A6EC-CF3BE0917C5E} - C:\WINXP\system32\CMVideo.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [Rrokuwip] rundll32.exe "C:\WINXP\Gxizahopira.dll",e
O4 - HKLM\..\Run: [Ngewok] rundll32.exe "C:\WINXP\exufijocifalut.dll",e
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll



Now click on Fix Checked and then close Hijackthis.
====================================================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 17 January 2009 - 11:47 PM

ComboFix gets to the part where it creates a restore point and then the computer resets itself. :thumbup2:

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 18 January 2009 - 08:55 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\program files\Easy Cd 5 Keygen.exe
    c:\program files\Adobe Photoshop Cs2 Serial.txt
    C:\ivalj.exe
    C:\vneb.exe 
    c:\program files\CMVideoPlugin
    c:\winxp\system32\win32hlp.cnf
    c:\winxp\system32\warning.gif
    c:\winxp\system32\ahtn.htm
    c:\winxp\system32\uniq.tll
    c:\winxp\system32\test.ttt
    c:\winxp\system32\frmwrk32.exe
    c:\winxp\system32\pcload.exe
    c:\winxp\system32\ntdll64.exe
    c:\winxp\exufijocifalut.dll
    c:\winxp\system32\chert5-998.exe
    c:\progra~1\crawler
    c:\winxp\system32\TDSSblat.dat
    c:\winxp\system32\tdssadw.dll 
    c:\winxp\system32\tdssinit.dll 
    c:\winxp\system32\tdssl.dll 
    c:\winxp\system32\tdsslog.dll
    c:\winxp\system32\tdssmain.dll 
    c:\winxp\system32\tdssservers.dat
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Delete your version of Combofix then redownload it from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
==============
Then boot into Safe Mode with Networking:
*Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode with Networking then hit enter.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt and the OT move it log in your next reply as well as a new dds log .
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 18 January 2009 - 10:24 AM

========== FILES ==========
c:\program files\Easy Cd 5 Keygen.exe moved successfully.
c:\program files\Adobe Photoshop Cs2 Serial.txt moved successfully.
C:\ivalj.exe moved successfully.
C:\vneb.exe moved successfully.
c:\program files\CMVideoPlugin moved successfully.
c:\winxp\system32\win32hlp.cnf moved successfully.
c:\winxp\system32\warning.gif moved successfully.
c:\winxp\system32\ahtn.htm moved successfully.
c:\winxp\system32\uniq.tll moved successfully.
c:\winxp\system32\test.ttt moved successfully.
c:\winxp\system32\frmwrk32.exe moved successfully.
c:\winxp\system32\pcload.exe moved successfully.
c:\winxp\system32\ntdll64.exe moved successfully.
c:\winxp\exufijocifalut.dll NOT unregistered.
c:\winxp\exufijocifalut.dll moved successfully.
c:\winxp\system32\chert5-998.exe moved successfully.
c:\progra~1\Crawler\Toolbar\WSGData\domains moved successfully.
c:\progra~1\Crawler\Toolbar\WSGData moved successfully.
c:\progra~1\Crawler\Toolbar\Update moved successfully.
c:\progra~1\Crawler\Toolbar\TBR5LanguageAct moved successfully.
c:\progra~1\Crawler\Toolbar\STWSGLanguageAct moved successfully.
c:\progra~1\Crawler\Toolbar\Languages moved successfully.
c:\progra~1\Crawler\Toolbar\firefox\components moved successfully.
c:\progra~1\Crawler\Toolbar\firefox\chrome moved successfully.
c:\progra~1\Crawler\Toolbar\firefox moved successfully.
c:\progra~1\Crawler\Toolbar moved successfully.
c:\progra~1\Crawler\Download moved successfully.
c:\progra~1\Crawler moved successfully.
c:\winxp\system32\TDSSblat.dat moved successfully.
File/Folder c:\winxp\system32\tdssadw.dll not found.
File/Folder c:\winxp\system32\tdssinit.dll not found.
File/Folder c:\winxp\system32\tdssl.dll not found.
File/Folder c:\winxp\system32\tdsslog.dll not found.
File/Folder c:\winxp\system32\tdssmain.dll not found.
File/Folder c:\winxp\system32\tdssservers.dat not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ADAM~1.LWO\LOCALS~1\Temp\etilqs_318Rowzefvaf5LK2hIYm scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINXP\temp\mcmsc_fvuXNtGCRkRqgm4 scheduled to be deleted on reboot.
File delete failed. C:\WINXP\temp\mcmsc_JlHI24d2xILoBOD scheduled to be deleted on reboot.
File delete failed. C:\WINXP\temp\mcmsc_V3KdLIMPWE1cy3G scheduled to be deleted on reboot.
File delete failed. C:\WINXP\temp\mcmsc_YB1Nw1uOjTvcCaq scheduled to be deleted on reboot.
File delete failed. C:\WINXP\temp\Perflib_Perfdata_530.dat scheduled to be deleted on reboot.
File delete failed. C:\WINXP\temp\WFV2.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01182009_101258

Files moved on Reboot...
File C:\DOCUME~1\ADAM~1.LWO\LOCALS~1\Temp\etilqs_318Rowzefvaf5LK2hIYm not found!
File C:\WINXP\temp\mcmsc_fvuXNtGCRkRqgm4 not found!
File C:\WINXP\temp\mcmsc_JlHI24d2xILoBOD not found!
File C:\WINXP\temp\mcmsc_V3KdLIMPWE1cy3G not found!
File C:\WINXP\temp\mcmsc_YB1Nw1uOjTvcCaq not found!
File C:\WINXP\temp\Perflib_Perfdata_530.dat not found!
File C:\WINXP\temp\WFV2.tmp not found!
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Application Data\Mozilla\Firefox\Profiles\geybxp1a.default\XUL.mfl moved successfully.

I will post this and try to run ComboFix again, just in case it resets again.

Thank you for all your help

Adam

#6 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 18 January 2009 - 01:39 PM

Computer keeps resetting after the point of ComboFix creating a restore point :thumbup2:

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 18 January 2009 - 05:36 PM

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 18 January 2009 - 08:35 PM

IT WORKED!!!! A FULL SCAN WORKED!!!! :thumbup2:

GMER.txt is pasted below.

Thank you,
Adam

------------------------------------------------------------------------------------


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-18 20:31:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code 82EA0908 ZwEnumerateKey
Code 82F88498 ZwFlushInstructionCache
Code F82BC54C pIofCallDriver

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 82EA090C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 82F8849C

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\WINXP\Explorer.EXE[328] @ C:\WINXP\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\senekamjpklteu.sys (*** hidden *** ) F82BA000-F82D3000 (102400 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINXP\system32\drivers\senekamjpklteu.sys (*** hidden *** ) [SYSTEM] seneka <-- ROOTKIT !!!
Service system32\drivers\TDSSrfdc.sys (*** hidden *** ) [SYSTEM] TDSSserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings@ProxyEnable 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@imagepath \systemroot\system32\drivers\senekamjpklteu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dll \systemroot\system32\senekaujwmrqlx.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamjpklteu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@senekawi.dll \systemroot\system32\senekavxumbavb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\seneka\modules@seneka.dat \systemroot\system32\senekauypixdkb.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSkfkl.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSblat.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurkv.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSottp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxnyq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSxnpb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSqshc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSshbe.log
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSqogd.log
Reg HKLM\SYSTEM\ControlSet004\Services\seneka
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@imagepath \systemroot\system32\drivers\senekamjpklteu.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dll \systemroot\system32\senekaujwmrqlx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.sys \systemroot\system32\drivers\senekamjpklteu.sys
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@senekawi.dll \systemroot\system32\senekavxumbavb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\seneka\modules@seneka.dat \systemroot\system32\senekauypixdkb.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@imagepath \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSserv \systemroot\system32\drivers\TDSSrfdc.sys
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSl \systemroot\system32\TDSSkfkl.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssservers \systemroot\system32\TDSSblat.dat
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssmain \systemroot\system32\TDSSurkv.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsslog \systemroot\system32\TDSSottp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssadw \systemroot\system32\TDSSxnyq.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssinit \systemroot\system32\TDSSxnpb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsspanels \systemroot\system32\TDSSqshc.dll
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@tdsserrors \systemroot\system32\TDSSshbe.log
Reg HKLM\SYSTEM\ControlSet004\Services\TDSSserv.sys\modules@TDSSproc \systemroot\system32\TDSSqogd.log
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs G
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.14 ----

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 18 January 2009 - 09:13 PM

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
seneka
TDSSserv.sys

Files to delete:
C:\WINXP\system32\drivers\senekamjpklteu.sys 
C:\WINXP\system32\drivers\TDSSrfdc.sys
C:\WINXP\system32\senekaujwmrqlx.dll
C:\WINXP\system32\senekauypixdkb.dat
C:\WINXP\system32\TDSSkfkl.dll
C:\WINXP\system32\TDSSblat.dat
C:\WINXP\system32\TDSSurkv.dll
C:\WINXP\system32\TDSSottp.dll
C:\WINXP\system32\TDSSxnyq.dll
C:\WINXP\system32\TDSSxnpb.dll
C:\WINXP\system32\TDSSnmxh.log
C:\WINXP\system32\TDSSqshc.dll
C:\WINXP\system32\TDSSshbe.log
C:\WINXP\system32\TDSSqogd.log

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 19 January 2009 - 04:10 PM

When the computer reset this error message popped up:

RUNDLL

Error loading c:\WINXP\exufijocifalut.dll

The specified module could not be found.
-------------------------------------------------------------

Pasted below is the Avenger.txt

Thank you,
Adam :thumbup2:

-------------------------------------------------------------

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "seneka" found!
ImagePath: \systemroot\system32\drivers\senekamjpklteu.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "seneka" deleted successfully.
Driver "TDSSserv.sys" deleted successfully.
File "C:\WINXP\system32\drivers\senekamjpklteu.sys" deleted successfully.

Error: file "C:\WINXP\system32\drivers\TDSSrfdc.sys" not found!
Deletion of file "C:\WINXP\system32\drivers\TDSSrfdc.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINXP\system32\senekaujwmrqlx.dll" deleted successfully.
File "C:\WINXP\system32\senekauypixdkb.dat" deleted successfully.

Error: file "C:\WINXP\system32\TDSSkfkl.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSkfkl.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSblat.dat" not found!
Deletion of file "C:\WINXP\system32\TDSSblat.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSurkv.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSurkv.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSottp.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSottp.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSxnyq.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSxnyq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSxnpb.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSxnpb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSnmxh.log" not found!
Deletion of file "C:\WINXP\system32\TDSSnmxh.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSqshc.dll" not found!
Deletion of file "C:\WINXP\system32\TDSSqshc.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSshbe.log" not found!
Deletion of file "C:\WINXP\system32\TDSSshbe.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINXP\system32\TDSSqogd.log" not found!
Deletion of file "C:\WINXP\system32\TDSSqogd.log" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Edited by AdamLinn13, 19 January 2009 - 04:11 PM.


#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 19 January 2009 - 07:01 PM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 20 January 2009 - 03:18 AM

Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/20/2009 3:16:03 AM
mbam-log-2009-01-20 (03-16-03).txt

Scan type: Quick Scan
Objects scanned: 167520
Time elapsed: 33 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CMVideo.XMLDOMDocumentEventsSink.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ngewok (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Adam.LWO-K2SMEWQE1YI\Local Settings\Temp\seneka12b5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Laura.LWO-K2SMEWQE1YI\Local Settings\Temporary Internet Files\Content.IE5\NXDBT6VN\lsp[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINXP\aazalirt.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\dkekkrkska.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\dkewiizkjdks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\iddqdops.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\ienotas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\iqmcnoeqz.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\irprokwks.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\jikglond.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\jiklagka.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\jrjakdsd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\jungertab.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\kitiiwhaas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\kkwknrbsggeg.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\klopnidret.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\krkdkdkee.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\krkmahejdk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\krtawefg.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\krujmmwlrra.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\ktknamwerr.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\kuruhccdsdd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\ooorjaas.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\oranerkka.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\oropbbsee.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\otnnbektre.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\otowjdseww.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\otpeppggq.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\rkaskssd.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\ronitfst.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\salrtybek.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\seeukluba.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\skaaanret.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\tobmygers.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\tobykke.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\zibaglertz.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINXP\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.


:thumbup2:

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 20 January 2009 - 07:57 AM

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.
  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#14 AdamLinn13

AdamLinn13
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 21 January 2009 - 06:28 AM

Scan
----
Scanned: 1480327
Detected: 8
Untreated: 0
Start time: 1/20/2009 7:28:41 PM
Duration: 10:57:41
Finish time: 1/21/2009 6:26:22 AM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan-Downloader.Win32.Agent.bcxd File: C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E7C0000\4F7D8209.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.Agent.bcxd File: C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E7C0001\4F7D856C.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.Agent.bcxd File: C:\Documents and Settings\All Users.WINXP\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\0E7C0002\4F7D88DB.VBN//CryptZ
deleted: Trojan program Trojan-Downloader.Win32.BHO.ape File: C:\Program Files\Trend Micro\HijackThis\backups\backup-20090117-231446-162.dll
deleted: Trojan program Trojan-Downloader.Win32.Agent.bdlh File: C:\_OTMoveIt\MovedFiles\01182009_101258\winxp\system32\chert5-998.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.bcst File: C:\_OTMoveIt\MovedFiles\01182009_101258\winxp\system32\frmwrk32.exe
deleted: Trojan program Trojan-Dropper.Win32.Agent.afeu File: C:\_OTMoveIt\MovedFiles\01182009_101258\winxp\system32\ntdll64.exe
deleted: Trojan program Trojan-Downloader.Win32.Agent.bcst File: C:\_OTMoveIt\MovedFiles\01182009_101258\winxp\system32\pcload.exe


Events
------
Time Name Status Reason
---- ---- ------ ------
1/20/2009 7:28:51 PM Running module: smss.exe\smss.exe ok scanned
1/20/2009 7:28:51 PM File: C:\WINXP\System32\smss.exe ok scanned
1/20/2009 7:28:51 PM Running module: smss.exe\ntdll.dll ok scanned
1/20/2009 7:28:51 PM File: C:\WINXP\system32\ntdll.dll ok scanned
1/20/2009 7:28:51 PM Running module: csrss.exe\csrss.exe ok scanned
1/20/2009 7:28:51 PM File: C:\WINXP\system32\csrss.exe ok scanned
1/20/2009 7:28:51 PM Running module: csrss.exe\ntdll.dll ok scanned


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Custom
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology No
Enable iSwift technology No
Show detected threats on "Detected" tab Yes
Rootkits search Yes
Deep rootkits search Yes
Use heuristic analyzer Yes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----

#15 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:40 PM

Posted 21 January 2009 - 07:32 AM

Looks good how are things running?
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users