Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cutwail.XR


  • This topic is locked This topic is locked
14 replies to this topic

#1 MadMouse

MadMouse

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 17 April 2009 - 05:10 PM

Where to start?????
This virus seems to have got past my firewall and if I try to change any settings it appears to overwrite the registry so it appears to be not installed and therefore I can't make any changes. My antivirus software detected the virus, deleted the files but they immediately reinfected. After searching the internet I started to look for suspicious files with the aid of my little search dog. He certainly deserved his bone! I deleted the file and found several .temp files which appeared when the virus replicated. I also found a large .sys file in a strange place which I zipped incase I was horribly wrong.

In order to get my firewall functioning again I did a system restore but this evening when I went to check something on the firewall it changed to being "not installed". The following files appeared on my c: drive "Newtb1handler.log" and "TB2overwriteHandler.log" Obviously there is still something lurking in the maze of files but I have no idea what to look for. Also I have just realised that my DVD-cd rom is not working. I know I went mad zipping up anything I though to be a threat but I am pretty certain I didn't mess with any of those files. I focussed on files made/modified on the day (16.04.09)

I am having trouble uploading files to the internet but that may be because I need to make changes to my firewall but am too scared to try until I sort out the overwriting problem.

I'm sure there is more to tell but I can't think of anything at the moment.

Thanks for your help.

DS (Ver_09-03-16.01) - NTFSx86
Run by Penny Marr at 22:09:56.68 on Fri 17/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.503.117 [GMT 1:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Documents and Settings\Penny Marr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>;localhost
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [eTrustPPAP] "c:\program files\ca\etrust internet security suite\etrust pestpatrol anti-spyware\PPActiveDetection.exe"
mRun: [cctray] "c:\program files\ca\etrust internet security suite\cctray\cctray.exe"
mRun: [QOELOADER] "c:\program files\ca\etrust internet security suite\ca anti-spam\qsp-6.0.1.33\QOELoader.exe"
mRun: [cafw] c:\program files\ca\etrust internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\etrust internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\etrust internet security suite\ca personal firewall\capfupgrade.exe
mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\ca anti-virus\CAVRID.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [VetStart] "c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe" -r
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\windows\installer\{70014586-7bba-4a92-a610-cdc896c48f8f}\NewShortcut1_1.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: telstra.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265369750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238265146531
DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} - hxxp://www.scotlandspeople.gov.uk/Viewers/ActiveXControl/viewdw32.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38183.7251157407
DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://d:\0000c5dd\ma02p01a\common\en\online\code\odweb.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://liveap01.rightnowtech.com/6030-b463h/rnl/java/RntX.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: PFW - UmxWnp.Dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\etrust internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-11-13 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-11-13 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-11-13 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-11-13 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-11-13 32240]
R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\ca anti-virus\isafe.exe [2008-11-13 144696]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe [2008-11-13 255216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\etrust internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-11-13 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-11-13 108368]
S0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2004-7-16 17792]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2006-2-20 20160]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-15 33752]

=============== Created Last 30 ================

2009-04-16 21:04 12,775 a------- c:\windows\system32\drivers\virus.zip
2009-04-16 19:40 0 a------- c:\windows\Jnawujabo.bin
2009-04-16 19:40 708 a------- c:\windows\Rboxitu.dat
2009-04-16 00:12 128,566 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-03-28 23:09 <DIR> --d----- c:\windows\pss
2009-03-28 22:44 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-28 22:39 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-28 22:23 11,776 -------- c:\windows\system32\spnpinst.exe
2009-03-28 22:23 67,866 -------- c:\windows\system32\drivers\netwlan5.img
2009-03-28 20:01 <DIR> --d----- c:\windows\system32\NtmsData
2009-03-28 19:54 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-28 19:54 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-28 19:36 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-28 19:36 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-03-28 19:36 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-03-28 19:36 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-03-28 19:36 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-03-28 22:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-13 20:36 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-26 14:14 32 -------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-12-26 22:47 31,408 -------- c:\docume~1\pennym~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:12:38.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 02 May 2009 - 04:05 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 MadMouse

MadMouse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 04 May 2009 - 04:49 PM

Hi Extremeboy.
Good to hear from you.

Since my initial post I have made progress and appear to have things pretty well under control. Even so, I am not convinced that I don't still have something lurking. I'm probably just feeling insecure since this is my first virus horror - the closest bad experience was upgrading windows to SP2 the first time. (Didn't go well at all)

As requested I have repeated DDS. Report as follows:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Penny Marr at 22:21:19.56 on Mon 04/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.503.65 [GMT 1:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Website Inspector\Toolbar\CAGlobal.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Documents and Settings\Penny Marr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>;localhost
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [eTrustPPAP] "c:\program files\ca\etrust internet security suite\etrust pestpatrol anti-spyware\PPActiveDetection.exe"
mRun: [cctray] "c:\program files\ca\etrust internet security suite\cctray\cctray.exe"
mRun: [QOELOADER] "c:\program files\ca\etrust internet security suite\ca anti-spam\qsp-6.0.1.33\QOELoader.exe"
mRun: [cafw] c:\program files\ca\etrust internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\etrust internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\etrust internet security suite\ca personal firewall\capfupgrade.exe
mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\ca anti-virus\CAVRID.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [VetStart] "c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe" -r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NWEReboot]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\windows\installer\{70014586-7bba-4a92-a610-cdc896c48f8f}\NewShortcut1_1.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: telstra.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265369750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238265146531
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} - hxxp://www.scotlandspeople.gov.uk/Viewers/ActiveXControl/viewdw32.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38183.7251157407
DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://d:\0000c5dd\ma02p01a\common\en\online\code\odweb.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://liveap01.rightnowtech.com/6030-b463h/rnl/java/RntX.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: PFW - UmxWnp.Dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\etrust internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2004-7-16 17792]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-11-13 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-11-13 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-11-13 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-11-13 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-11-13 32240]
R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\ca anti-virus\isafe.exe [2008-11-13 144696]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe [2008-11-13 255216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\etrust internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-11-13 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-11-13 108368]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2006-2-20 20160]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-15 33752]

=============== Created Last 30 ================

2009-04-27 20:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-04-16 21:04 12,775 a------- c:\windows\system32\drivers\virus.zip
2009-04-16 19:40 0 a------- c:\windows\Jnawujabo.bin
2009-04-16 19:40 708 a------- c:\windows\Rboxitu.dat
2009-04-16 00:12 140,062 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-04-16 00:12 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1

==================== Find3M ====================

2009-03-28 22:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-26 14:14 32 -------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-12-26 22:47 31,408 -------- c:\docume~1\pennym~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 22:24:26.41 ===============


Thanks for your help.

Attached Files



#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 04 May 2009 - 05:11 PM

Hello.

I would still like to hear from the following:

If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

With Regards,
Extremeboy


Also, after that please run Malwarebytes Anti-Malware for me and rootrepeal just to check for anything else.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Download and run RootRepeal CR

Please download RootRepeal to your desktop
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Unzip it to it's own folder
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Double-click on Rooter.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Report tab at the bottom.
  • Now click the Scan button in the Report Tab. Posted Image
  • A box will pop up, check the boxes beside ALL SIX
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the log here in your reply.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 MadMouse

MadMouse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 06 May 2009 - 04:50 PM

Greetings again EB!

The last post I sent included a current DDS log - run immediately before posting (4 May 2009)

Symptoms? The main thing is that internet access is getting harder and harder. Downloading files is becoming a nightmare and accessing this topic has taken me hours.

After a struggle I managed to download MBAM onto my laptop then transfer the file. I have successfully run it but am now struggling with RootRepeal. Again I downloaded it onto my laptop them transferred the file. Whilst attempting to run rootrepeal I disabled my firewall but the "security centre" is telling me that it is not installed but when I look at the firewall itself it appears to be running. Something is not right...

MBAM log is as follows:

Malwarebytes' Anti-Malware 1.36
Database version: 2084
Windows 5.1.2600 Service Pack 2

6/05/2009 9:01:39 PM
mbam-log-2009-05-06 (21-01-39).txt

Scan type: Quick Scan
Objects scanned: 80337
Time elapsed: 10 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I will now continue my struggle with RootRepeal and my firewall... :thumbup2:

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 07 May 2009 - 03:10 PM

Hello.

If you have any problems let me know.

Symptoms? The main thing is that internet access is getting harder and harder. Downloading files is becoming a nightmare and accessing this topic has taken me hours.

I believe you mean accessing the internet is difficult in terms of connectin or...?

Post a new DDS log afterwards. It may be something on your side regarding the connection.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 MadMouse

MadMouse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 10 May 2009 - 03:32 PM

Hi EB
I cannot get Rootrepeal to run without crashing. I turned off/disabled etc antivirus, antispyware and firewall and can't think of anything else which may be upsetting it. Any ideas???

As to my internet connection - the computer connects OK but once I try to download anything or navigate around IE it slows down and/or "hangs".

Thanks, Penny

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 10 May 2009 - 05:55 PM

Hello.

Try RootRepeal in Safe Mode. Do you get any errors or does it just crash?

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here

If it doesn't work see if GMER works, it may also crash.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

If you have any problems let me know.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 15 May 2009 - 07:48 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 MadMouse

MadMouse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 17 May 2009 - 03:25 PM

Sorry to take so long to get back to you - it was one of those weeks when nothing went according to plan...

I ran rootrepeal in safe mode but it still crashed. When starting the program in both normal and safe modes receivedthe following error message: "Could not find kernel file on disk (C:\windows\system32\ntoskrnl.exe)"

Crash log as follows:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x0042425b
Attempt to read from address: 0x00000008

Downloaded Gmer - tried running it in normal mode but it kept rebooting the computer. Ran it in safe mode. Scan completed but when I tried to save the report got message that there wasn't enough resources then the computer proceeded to reboot again.

So, all in all, no joy yet.

I have run DDS again anyway.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Penny Marr at 21:18:03.28 on Sun 17/05/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.503.120 [GMT 1:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)
FW: CA Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spam\QSP-6.0.1.33\QOELoader.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\eTrust Internet Security Suite\ccprovsp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\eTrust Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\CA\eTrust Internet Security Suite\CA Website Inspector\Light\CAGlobalLight.exe
C:\Documents and Settings\Penny Marr\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://home.bt.yahoo.com/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
mDefault_Search_URL = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
mSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Settings,ProxyOverride = <local>;localhost
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
BHO: CA Toolbar Helper: {fbf2401b-7447-4727-be5d-c19b2075ca84} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo!7 Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: CA Toolbar: {10134636-e7af-4ac5-a1dc-c7c44bb97d81} - c:\program files\ca\etrust internet security suite\ca website inspector\toolbar\CallingIDIE.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [eTrustPPAP] "c:\program files\ca\etrust internet security suite\etrust pestpatrol anti-spyware\PPActiveDetection.exe"
mRun: [cctray] "c:\program files\ca\etrust internet security suite\cctray\cctray.exe"
mRun: [QOELOADER] "c:\program files\ca\etrust internet security suite\ca anti-spam\qsp-6.0.1.33\QOELoader.exe"
mRun: [cafw] c:\program files\ca\etrust internet security suite\ca personal firewall\cafw.exe -cl
mRun: [capfasem] c:\program files\ca\etrust internet security suite\ca personal firewall\capfasem.exe
mRun: [capfupgrade] c:\program files\ca\etrust internet security suite\ca personal firewall\capfupgrade.exe
mRun: [CAVRID] "c:\program files\ca\etrust internet security suite\ca anti-virus\CAVRID.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [VetStart] "c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe" -r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NWEReboot]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\windows\installer\{70014586-7bba-4a92-a610-cdc896c48f8f}\NewShortcut1_1.exe
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: telstra.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238265369750
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238265146531
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {84818113-96C5-11D2-BE39-006008BF4DD5} - hxxp://www.scotlandspeople.gov.uk/Viewers/ActiveXControl/viewdw32.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38183.7251157407
DPF: {B3E22EA2-A579-11D2-847A-00C04F7605B6} - file://d:\0000c5dd\ma02p01a\common\en\online\code\odweb.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://liveap01.rightnowtech.com/6030-b463h/rnl/java/RntX.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: PFW - UmxWnp.Dll
SEH: ShellHook Class: {1869181a-9f50-4fcf-8bff-1b8588ecb85c} - c:\program files\ca\etrust internet security suite\ca website inspector\linkadvisor\CIDLinkAdvisor.dll
LSA: Notification Packages = :\windows\syste

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-3-19 93712]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\system32\drivers\ppa.sys [2004-7-16 17792]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-3-21 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-3-21 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-3-19 115216]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-11-13 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-11-13 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-11-13 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-11-13 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-11-13 32240]
R2 CAISafe;CAISafe;c:\program files\ca\etrust internet security suite\ca anti-virus\isafe.exe [2008-11-13 144696]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-4 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-3-21 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-4-15 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\etrust internet security suite\ca anti-virus\vetmsg.exe [2008-11-13 255216]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-5-30 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\etrust internet security suite\ca anti-spyware\PPCtlPriv.exe [2008-11-13 185584]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-11-13 108368]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2006-2-20 20160]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-11-15 33752]

=============== Created Last 30 ================

2009-05-06 23:30 0 a------- c:\documents and settings\penny marr\settings.dat
2009-05-06 20:07 <DIR> --d----- c:\docume~1\pennym~1\applic~1\Malwarebytes
2009-05-06 20:06 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-06 20:06 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-06 20:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-06 20:06 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-27 20:39 <DIR> --d----- c:\windows\system32\LogFiles

==================== Find3M ====================

2009-05-17 13:38 142,926 a------- c:\windows\system32\drivers\kmxcfg.u2k0
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k7
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k6
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k5
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k4
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k3
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k2
2009-05-17 13:38 64 a------- c:\windows\system32\drivers\kmxcfg.u2k1
2009-04-16 21:04 12,775 a------- c:\windows\system32\drivers\virus.zip
2009-03-28 22:46 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-26 14:14 32 -------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-12-26 22:47 31,408 -------- c:\docume~1\pennym~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:21:28.59 ===============

Cheers,
Penny

Attached Files



#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 17 May 2009 - 04:32 PM

Hello.

Do you still have your windows disk?

Let's first update your Java and run an online scan. Then we'll proceed from there.

Update Java to Version 6 Update 13

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 MadMouse

MadMouse
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 19 May 2009 - 01:40 AM

Hi EXtremeboy,
You asked if I still have my windows disk. It appears to be missing in action. I have not long moved from the other side of the world and at this point have no idea where it is. (Can find everything else)

I was actually running Java 6 update 13 but hadn't removed update 7. I removed both and reinstalled Java 6 update 13.

Kaspersky log is as follows:

KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, May 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, May 19, 2009 00:29:19
Records in database: 2192478
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan statistics:
Files scanned: 81187
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:41:58


File name / Threat name / Threats count
C:\Backup\WINDOWS\Application Data\Identities\{CBE7AD60-7BED-11D3-A40D-FC908011B471}\Microsoft\Outlook Express\Mail (1).dbx Infected: Email-Worm.VBS.KakWorm 1
C:\Documents and Settings\Penny Marr\Local Settings\Application Data\Identities\{652D3587-9D4C-4A4D-9643-165EF8D7B979}\Microsoft\Outlook Express\Mail.dbx Infected: Email-Worm.VBS.KakWorm 1

The selected area was scanned.


Regards,
Penny

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 19 May 2009 - 03:39 PM

Hello.

Please at least try to empty out all folders from your OutLook e-mail application as there are some mails that are infected.

Then take a new DDS log for me and let me know what symptoms or problems you may still have.

Run the tool below.

Download and Run Icesword Rookit Scan
  • Please download the latest version of Icesword from here and save it to your Desktop.
  • Right click on IceSword122en.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Once done, check the Show extracted files box and click Finish.
  • Create a new folder on your desktop (right click on desktop, select New > Folder), name it scanner.
  • Double click on Icesword.exe to run it. if Icesword don't run, then renamed it scanner.exe. If you are using Vista, please Right-Click and select Run as Administrator...
Please click Win32 Services in the left column, look out for red colored entry in the services list on the right pane and take a note, and post the red services name in your next post. If there are too many, the easiest way is to select the Log at the top and save the log as IceSwordlog and post that log in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 21 May 2009 - 04:31 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding. :thumbup2:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:40 AM

Posted 23 May 2009 - 01:22 PM

Hello.

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users