Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rbot-AFW worm


  • This topic is locked This topic is locked
2 replies to this topic

#1 t2000al

t2000al

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:44 AM

Posted 17 February 2009 - 08:37 PM

Upon start up of computer, a pop-up appears and says:
Publisher could not be verified. Are you sure you want to run this software?
Name: ...sers\Tabitha\AppData\Local\Temp\systeminit.exe
Publisher: Unknown
Type: Application
From: C:\Users\Tabitha\AppData\Local\Temp\systemini...
then gives me a choice to run or cancel. If you choose to run other windows open up and all the new "run this program" boxes come up and you can hardly "x" out of them fast enough.

Please Help.




DDS (Ver_09-02-01.01) - NTFSx86
Run by Tabitha at 19:24:10.43 on Tue 02/17/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1978.1048 [GMT -6:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskeng.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN\Toolbar\3.0.0988.2\msntask.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Tabitha\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Aim6]
uRun: [systeminit.exe] c:\users\tabitha\appdata\local\temp\systeminit.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
StartupFolder: c:\users\tabitha\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-7-26 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-8 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-7-25 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-4 113664]

=============== Created Last 30 ================

2009-02-14 21:09 9,285 a------- c:\windows\system32\Config.MPF
2009-02-14 21:08 143,360 a------- c:\windows\system32\dunzip32.dll
2009-02-14 21:05 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-02-14 21:05 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-02-14 21:05 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-02-14 21:05 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-02-14 21:05 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-02-14 21:05 125,728 a------- c:\windows\system32\drivers\Mpfp.sys
2009-02-14 21:05 <DIR> --d----- c:\program files\McAfee.com
2009-02-14 21:05 <DIR> --d----- c:\program files\common files\McAfee
2009-02-14 21:04 <DIR> --d----- c:\program files\McAfee
2009-02-14 20:45 <DIR> --d----- c:\programdata\McAfee
2009-02-12 20:45 <DIR> --d----- c:\users\tabitha\Incomplete
2009-02-12 20:41 <DIR> --d----- c:\users\tabitha\appdata\roaming\LimeWire
2009-02-12 20:40 <DIR> --d----- c:\program files\LimeWire
2009-02-10 18:19 827,392 a------- c:\windows\system32\wininet.dll
2009-02-10 18:19 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-02-08 19:51 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-08 19:51 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-08 19:51 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-08 19:51 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-08 19:51 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-08 19:51 11,264 a------- c:\windows\system32\icardres.dll
2009-02-08 19:51 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-08 19:51 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-08 19:45 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-08 19:45 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-08 19:45 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-08 19:44 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-08 19:44 83,968 a------- c:\windows\system32\mscories.dll
2009-02-04 20:05 1,409 a------- c:\windows\system32\tmp57E5C.FOT
2009-02-04 20:05 1,409 a------- c:\windows\system32\tmp4AE5C.FOT
2009-02-04 18:46 1,409 a------- c:\windows\system32\tmp23161.FOT
2009-02-04 18:46 1,409 a------- c:\windows\system32\tmp16161.FOT
2009-02-04 18:45 125 a------- c:\windows\usrwiz.ini
2009-02-03 20:07 <DIR> --d----- c:\programdata\Yahoo!
2009-02-03 14:07 865 a------- C:\net_save.dna
2009-02-03 14:06 <DIR> --d----- c:\program files\support.com
2009-02-03 14:06 <DIR> --d----- c:\program files\common files\SupportSoft
2009-01-27 19:51 2,048 a------- c:\windows\system32\tzres.dll
2009-01-27 19:51 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-27 19:43 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-27 19:38 <DIR> --d----- c:\program files\MSXML 4.0

==================== Find3M ====================

2009-02-14 21:00 86,016 a------- c:\windows\inf\infstor.dat
2009-02-14 21:00 51,200 a------- c:\windows\inf\infpub.dat
2009-02-14 21:00 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-10 19:54 208 a------- c:\users\tabitha\appdata\roaming\wklnhst.dat
2008-07-25 21:46 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 19:24:54.86 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:44 AM

Posted 26 February 2009 - 01:38 PM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:44 AM

Posted 04 March 2009 - 12:37 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users