Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

protect.dll (Worm.Autorun)


  • This topic is locked This topic is locked
4 replies to this topic

#1 Hailleys Computer

Hailleys Computer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 09 May 2009 - 06:35 PM

Greetings-

I am hopefully following all of the posting guidelines to help you help me. Over the past few months we have had a re-occuring issue with variouse virus/malware. I have attempted to fix the issue myself using your removal guides but have failed. This PC is in the kids room, so god knows how or where they got it. I am using McAfee Sercuity Center along with Windows defender. I am now at my wits end. Although Malware bytes and mcafee say they have removed the Virus's they keep coming back. I have added a screen shot of what Malware bytes has found along with the log files requested.

Thanks In advance.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Compaq_Owner at 18:16:19.60 on Sat 05/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.457 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {CFC5345B-5D1F-4686-BAE0-B3BA4EE3ACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
StartupFolder: c:\documents and settings\compaq_owner\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\compaq~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\hlfpljfb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: network.proxy.http - 0
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-3 201320]
R2 mcproxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-3 359248]
R2 mcshield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2009-5-3 144704]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 mcsysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-3 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-3 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-3 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-3 40488]
S1 a0b371c5;a0b371c5;c:\windows\system32\drivers\a0b371c5.sys --> c:\windows\system32\drivers\a0b371c5.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-3 33832]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-16 24652]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-05-09 17:42 27,648 a------- c:\windows\system32\lmn_setup.exe
2009-05-09 17:23 24,064 a--sh--- c:\documents and settings\compaq_owner\protect.dll
2009-05-07 08:18 66,048 a------- c:\windows\system32\lds.exe
2009-05-04 23:04 <DIR> --d----- c:\docume~1\compaq~1\applic~1\McAfee
2009-05-03 21:45 3,191 a------- c:\windows\system32\Config.MPF
2009-05-03 21:44 143,360 a------- c:\windows\system32\dunzip32.dll
2009-05-03 21:41 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-05-03 21:41 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-05-03 21:41 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-05-03 21:41 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-05-03 21:41 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-05-03 21:41 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-05-03 21:40 <DIR> --d----- c:\program files\McAfee.com
2009-05-03 21:40 <DIR> --d----- c:\program files\common files\McAfee
2009-05-03 21:40 <DIR> --d----- c:\program files\McAfee
2009-05-03 21:20 19,016 a------- c:\windows\system32\dllcache\ktc111.sys
2009-05-03 21:19 45,109 a------- c:\windows\system32\dllcache\imjpuex.exe
2009-05-03 21:18 50,751 a------- c:\windows\system32\dllcache\hsf_tone.sys
2009-05-03 21:17 48,128 a------- c:\windows\system32\dllcache\hpgt33tk.dll
2009-05-03 21:16 22,090 a------- c:\windows\system32\dllcache\fem556n5.sys
2009-05-03 21:15 19,996 a------- c:\windows\system32\dllcache\em556n4.sys
2009-05-03 21:14 110,621 a------- c:\windows\system32\dllcache\digirlpt.dll
2009-05-03 21:13 216,064 a------- c:\windows\system32\dllcache\cpscan.dll
2009-05-03 21:12 13,824 a------- c:\windows\system32\dllcache\bulltlp3.sys
2009-05-03 21:11 462,848 a------- c:\windows\system32\dllcache\a3dapi.dll
2009-05-03 21:11 231,552 a------- c:\windows\system32\dllcache\ac97ali.sys
2009-05-03 21:11 23,552 a------- c:\windows\system32\dllcache\abp480n5.sys
2009-05-03 21:11 98,304 a------- c:\windows\system32\dllcache\a3d.dll
2009-05-03 21:11 38,400 a------- c:\windows\system32\dllcache\8514a.dll
2009-05-03 21:11 148,352 a------- c:\windows\system32\dllcache\3dfxvsm.sys
2009-05-03 21:11 48,128 a------- c:\windows\system32\dllcache\61883.sys
2009-05-03 21:11 12,288 a------- c:\windows\system32\dllcache\4mmdat.sys
2009-05-03 21:11 762,780 a------- c:\windows\system32\dllcache\3cwmcru.sys
2009-05-03 21:11 689,216 a------- c:\windows\system32\dllcache\3dfxvs.dll
2009-05-03 21:11 11,264 a------- c:\windows\system32\dllcache\1394vdbg.sys
2009-05-03 21:11 53,376 a------- c:\windows\system32\dllcache\1394bus.sys
2009-05-03 21:11 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-05-02 18:13 <DIR> --d----- c:\windows\ERUNT
2009-05-02 18:07 <DIR> --d----- C:\SDFix
2009-05-02 17:31 161,792 a------- c:\windows\SWREG.exe
2009-05-02 17:31 98,816 a------- c:\windows\sed.exe
2009-05-02 17:16 <DIR> --d----- c:\program files\Trend Micro
2009-05-02 13:46 18 a---h--- C:\SYSREST
2009-05-02 11:22 578,560 a------- c:\windows\system32\zszd
2009-05-02 11:13 578,560 a------- c:\windows\system32\vdjytu
2009-05-02 11:04 578,560 a------- c:\windows\system32\advlbuex
2009-05-02 11:03 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-04-16 10:52 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 10:52 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 10:52 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 10:52 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 10:52 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 10:51 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-16 10:51 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-05-05 21:07 176 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-05-02 17:36 578,560 a------- c:\windows\system32\user32.dll
2009-05-02 17:34 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 09:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 07:10 729,088 a------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 07:10 714,752 a------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 07:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 07:10 473,600 a------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 07:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys

============= FINISH: 18:17:12.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:13 PM

Posted 24 May 2009 - 06:32 AM

Hi Hailleys Computer,

Sorry for the delay the forums here at BC are always very busy and we do are best to keep up. Since
your log is quite old and alot could have changed, I would like to see a new log please. If you no
longer require any help could you let me no please, so this topic can be closed.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Thanks

unite.jpg


#3 Hailleys Computer

Hailleys Computer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 May 2009 - 12:29 PM

Hi Thank You for you reply:

As luck would go; I decided to re-initialize the infected partition and restore yesterday. I know you guys are busy so I figured to that I would save you some time.

I would like to add for the good of the group that the nature of my virus truly compromised the data. Based on other posts, and the nature of the virus; even if we did manage to rid ourselves of this viri, their was no guarantee that the computer was completely free of future attacks.

I was able to figure out that the genesis of the Viri was from my daughters Facebook page and a posted link with in. So lets relearn the lesson," if you don't know the sender and where the link is going" then don't click on it.

I would have liked to know the fix, but such is life, their are many people that need your help more then me.

Please close the case and have a nice day.

:thumbup2:

#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:13 PM

Posted 24 May 2009 - 12:39 PM

Hi,

Im glad to hear that you have resolved your problems :thumbup2: and I appreiciate you letting me no :)
I will get this topic closed now.

Regards

unite.jpg


#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:13 AM

Posted 24 May 2009 - 12:50 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :thumbup2:

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users