Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32 trojan/Fake McAfee Alerts


  • This topic is locked This topic is locked
37 replies to this topic

#1 as143

as143

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 20 February 2009 - 04:18 PM

Hi All,

About 3 weeks ago I found my desktop computer had been infected with something. Somehow, the computer's username (which never used to have password protection) had it and as well, everytime I tried to go into safe mode I got the blue screen of death. As well, the one thing that kept occurring and keeps occurring to this date is a fake McAfee Activeshield alert telling me that a virus has been detected and that I should scan my computer.

I do have some computer security knowledge, so after reading various websites, including this one, I downloaded Combofix and was able to turn off the password protection and as well I could get into safe mode again. I ran McAfee virus scan and it notified me that both explorer.exe and svchost.exe were infected with the New Win32 virus, but that they could not be cleaned. I quarantined both and was able to actually access my desktop again, which at first, I could not.

Since this has occurred, I have downloaded and used ComboFix, SDFix, VundoFix, Super AntiSpyware pro, MalBytes Anti-Malware, and ATF Cleaner to try and fix this and have had no luck. I've also run HJT many times and found some files and deleted them (including an 021 entry named c:\windows\system32\qzdex.dll, which somewhere told me that was part of the problem) but nothing is working. Also, when I run a scan on HJT, these alerts start going nuts and continually popping up on my screen.

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:48 PM, on 2/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\........\hijackth.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\........\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Help and Support (helpsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Server (lanmanserver) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Location Awareness (NLA) (Nla) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\System32\lsass.exe
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Secondary Logon (seclogon) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Shell Hardware Detection (ShellHWDetection) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: System Restore Service (srservice) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: SSDP Discovery Service (SSDPSRV) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Image Acquisition (WIA) (stisvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Terminal Services (TermService) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Themes - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Universal Plug and Play Device Host (upnphost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Time (w32time) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: WebClient - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Windows Management Instrumentation (winmgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Portable Media Serial Number Service (WmdmPmSN) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wireless Zero Configuration (WZCSVC) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Network Provisioning Service (xmlprov) - Unknown owner - C:\WINDOWS\System32\svchost.exe

--
End of file - 11697 bytes

Any help would be greatly appreciated. I've been able to eliminate every spyware/malware program that I've ever encountered and this one I just cannot. Thanks in advance!

Edited by as143, 20 February 2009 - 04:19 PM.


BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:02:55 PM

Posted 03 March 2009 - 05:27 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 07 March 2009 - 02:14 PM

Here is the DDS Log


DDS (Ver_09-02-01.01) - NTFSx86
Run by Andrea Aronson at 14:07:36.32 on Sat 03/07/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.53 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\.....\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [Dell AIO Printer A940] "c:\program files\dell aio printer a940\dlbabmgr.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe
mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers
mRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
StartupFolder: c:\docume~1\.....~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5533/mcfscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\andrea~1\applic~1\mozilla\firefox\profiles\ek1hfgh9.default\
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\java\j2re1.4.2\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-2-29 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-2-29 51440]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-11-29 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-11-29 122368]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2004-12-28 106496]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2004-12-28 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2004-12-28 23296]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S1 c6033530;c6033530;c:\windows\system32\drivers\c6033530.sys --> c:\windows\system32\drivers\c6033530.sys [?]
S2 Tmfilter;Tmfilter;c:\progra~1\ontrack\fix-it\Tmfilter.sys [2001-6-29 155216]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-11-29 245760]

=============== Created Last 30 ================

2009-02-28 13:02 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-23 01:36 <DIR> --d----- c:\windows\McAfee.com
2009-02-18 17:59 115,224 a------- C:\img2-001.raw
2009-02-17 17:11 <DIR> --d----- C:\Intel
2009-02-14 14:33 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-02-14 14:26 <DIR> --d--r-- c:\program files\Skype
2009-02-14 14:13 59,264 a------- c:\windows\system32\drivers\USBAUDIO.sys
2009-02-14 14:13 59,264 a------- c:\windows\system32\dllcache\usbaudio.sys
2009-02-14 14:12 53,760 a------- c:\windows\system32\vfwwdm32.dll
2009-02-14 14:12 53,760 a------- c:\windows\system32\dllcache\vfwwdm32.dll
2009-02-14 14:03 476,520 a------- c:\windows\vVX3000.dll
2009-02-14 14:03 202,088 a------- c:\windows\system32\LCCoin14.dll
2009-02-14 14:03 185,704 a------- c:\windows\system32\cVX3000.dll
2009-02-14 14:03 111,976 a------- c:\windows\VX3000.dll
2009-02-14 14:03 15,498 a------- c:\windows\VX3000.ini
2009-02-14 14:03 13,023 a------- c:\windows\VX3000.src
2009-02-14 14:03 1,966,696 a------- c:\windows\system32\drivers\VX3000.sys
2009-02-14 14:03 709,992 a------- c:\windows\vVX3000.exe
2009-02-14 14:02 <DIR> --d----- c:\program files\Microsoft LifeCam
2009-02-14 13:25 <DIR> --d----- c:\windows\ERUNT
2009-02-14 13:19 <DIR> --d----- C:\SDFix
2009-02-14 13:10 3,598 a------- c:\windows\system32\tmp.reg
2009-02-14 13:09 289,144 a------- c:\windows\system32\VCCLSID.exe
2009-02-14 13:09 86,016 a------- c:\windows\system32\VACFix.exe
2009-02-14 13:09 82,432 a------- c:\windows\system32\IEDFix.exe
2009-02-14 13:09 79,360 a------- c:\windows\system32\swxcacls.exe
2009-02-14 13:09 51,200 a------- c:\windows\system32\dumphive.exe
2009-02-14 13:09 25,600 a------- c:\windows\system32\WS2Fix.exe
2009-02-14 13:09 288,417 a------- c:\windows\system32\SrchSTS.exe
2009-02-14 13:09 135,168 a------- c:\windows\system32\swreg.exe
2009-02-14 13:09 53,248 a------- c:\windows\system32\Process.exe
2009-02-14 12:48 <DIR> a-dshr-- C:\cmdcons
2009-02-14 12:45 161,792 a------- c:\windows\SWREG.exe
2009-02-14 12:45 98,816 a------- c:\windows\sed.exe
2009-02-14 12:31 <DIR> --d----- c:\windows\pss
2009-02-12 17:25 <DIR> --d----- C:\spoolerlogs

==================== Find3M ====================

2009-01-24 22:42 2,737,808 a------- C:\mbam-setup.exe
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-13 01:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-02-13 12:18 61,312 a------- c:\docume~1\.....~1\applic~1\GDIPFONTCACHEV1.DAT
2008-01-23 23:22 5,806 a------- c:\docume~1\.....~1\applic~1\wklnhst.dat
2005-02-16 11:06 218,112 a------- c:\documents and settings\.....\HIJACKTH.EXE

============= FINISH: 14:08:46.01 ===============


I haven't made any other changes to the computer since the last HJT log I posted, except trying to update the Host files (which didn't help the problem either)

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 09 March 2009 - 02:25 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

We'll probably be needing to use ComboFix again.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

To disable McAfee:
  • Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
    Right-click it -> chose Exit.
  • A popup will warn that protection will now be disabled. Click on Yes to disable the Antivirus guard.
Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

With Regards,
The Panda

#5 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 March 2009 - 12:47 PM

I reran ComboFix as you instructed, disabling McAfee Virus protection. However, I ran it and when it restarted, it came up with a blue screen "Fatal System Error." I can't boot the computer in normal mode or safe mode! What happened? Help! :thumbup2:

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 12 March 2009 - 02:36 PM

Hello.

Let's restore from the ERUNT backup that ComboFix created.

Shutdown the computer. Start it again.
After hearing the beep, hit F8 repetitively until you see the boot selection menu.
Select Return to OS Selections.
Select Microsoft Windows Recovery Console.
Type in the number of the Windows installation you want to repair (usually 1 C:\Windows), then press Enter.
Type in the Administrator password if prompted (leave blank if you are unsure what it is or if you do not have one) and press Enter.
Type without quotes "cd erdnt" followed by Enter.
Type without quotes "cd subs" followed by Enter.
Type without quotes "batch erdnt.con" followed by Enter.
Type without quotes "exit" followed by Enter.

Allow your comptuer to boot.

Tell me how it goes.

With Regards,
The Panda

Are you able to bee into

#7 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 March 2009 - 02:50 PM

Hi Panda,

I typed what you asked me to, but after the "cd erdnt" prompt came up, I tried typing "cd subs" and it said "The system cannot find the file or directory specified"

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 12 March 2009 - 02:57 PM

Hello.

At the C:\Windows\ERUNT prompt, type "dir"
You will see a list of folders.
Type CD followed by a folder name.
Follow with "batch erdnt.con".

With Regards,
The Panda

#9 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 March 2009 - 03:12 PM

When typing dir, I can see the folders but not their full names. This is what I'm met with:

03/11/09 04:43p d------- 0.
03/11/09 04:43p d------- 0.
03/11/09 04:43p -a------ 110 CFrecovery.bat
03/11/09 04:43p -a------ 1040 CFUNDO.dat
03/11/09 04:38p d------- 0 Hiv-backup

It won't let me use the cd command since there is no real folder name

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 12 March 2009 - 03:57 PM

Hello.

At that prompt, type:
cd hiv-backup

With Regards,
The Panda

#11 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 12 March 2009 - 10:34 PM

I was able to get the prompt to work this time, but even after following it and rebooting, I still got the blue screen after it started up again. After I entered "cd hiv-backup" it said it was copying files, but it still didn't work.

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 13 March 2009 - 07:01 AM

Hello.

Are you sure "batch erdnt.con" was entered?

Where does the boot sequence stop? Do you see the blue windows welcome screen?

Please take down the information in the BSOD under Technical Details.

With Regards,
The Panda

#13 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 15 March 2009 - 02:25 PM

Hi Panda,

I did enter batch erdnt.con, and a message came up that said "copying 1 file" about 4 times. At the end, I typed exit, the computer rebooted, and I still got the BSOD.

The computer boots, I see the Windows XP screen with the moving bar at the bottom, then the blue "Windows is starting" screen comes up for 2 seconds, then just a black screen with a cursor. Finally, I hear the hard drive shut down and the BSOD comes up.

I've tried using chkdsk /r with the Windows Recovery Console, both on the hard drive and from the Windows XP disk, but both get to about 69% completed, hangup, and go back to 50% completed and start over. Therefore, neither has gone to full completion. I was going to try "fixboot," but I didn't want to for fear of messing something else up.

Here is the information under the BSOD technical details:

STOP: c000021a {Fatal System Error}

The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down

Edited by as143, 15 March 2009 - 02:26 PM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 PM

Posted 16 March 2009 - 07:59 AM

Hello.

Do you have some blank CDs and a CD burner available? I want to create a bootable disk and see what file ComboFix removed.

We can then perform restoration of changes that were made.

With Regards,
The Panda

#15 as143

as143
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:55 PM

Posted 16 March 2009 - 10:25 AM

I do have some blank CDs, and a burner on my laptop. The desktop is the one that is broken, I can't remember if that has a burner. Is that the one you need the burner on?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users