Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32:Rootkit-gen[Rtk]


  • This topic is locked This topic is locked
4 replies to this topic

#1 blauvvy

blauvvy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:New England USA
  • Local time:01:57 PM

Posted 12 May 2009 - 07:29 AM

Hello, really stuck on this one. I am running Windows XP Pro with (I thought) latest updates, using fully updated Avast! virus protection and Windows Defender (I thought). Started getting FREQUENT reports with the subject infection from Avast! However, no matter what action I try, it keeps coming back and is NOT cleaned. For example I have selected "Move to Chest", "Delete" and other options. I have run boot-time scans that report infections clean, but it still comes back, I have run multiple Avast! scans and tried to run Windows Defender scans. I have also recently downloaded PC Tools Spyware Doctor and run THAT! To no avail. Few critical things I noticed.

1. The virus/malware appears to have locked me out of regedit (reports "disabled by Administrator). Got around this with a little script tool

2. The virus/malware disabled (and continues to try to disable) the "Folder Options" capability in Windows explorer, and FORCES a registry entry the Hides all hidden and system files in the Windows explorer views.

3. The virus/malware also disabled Windows Defender AND Automatic updates. Both are "broken" now, so I cannot update Windows or receive updated file descriptors for Windows Defender (I subsequently tried to install Spyware Doctor in lieu of WD, and it seems to be working, but still will not clear the infection completely)

Any help is most appreciated. I'm really killed by this one!!

blauvvy

================================================================================



DDS (Ver_09-03-16.01) - NTFSx86
Run by Peter Blauvelt at 8:11:22.01 on Tue 05/12/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1126 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090511-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Peter Blauvelt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimp2.exe
C:\Program Files\Alwil Software\Avast4\ashChest.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Documents and Settings\Peter Blauvelt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Peter Blauvelt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Peter Blauvelt\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Peter Blauvelt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: c:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\jkshfuiehi.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - No File
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
uRun: [Google Update] "c:\documents and settings\peter blauvelt\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Diagnostic Manager] c:\docume~1\peterb~1\locals~1\temp\2330285422.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\3\printray.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/da/PCPitStop.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} - hxxp://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} - hxxps://www1.gotomeeting.com/default/applets/g2mdlax.cab
DPF: {8DA26812-F2DD-498F-90EA-F22C22049FFF} - hxxps://bdr139008.bmcgroup.com/BMCViewer.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {ACA61271-6403-409E-B59F-CC652AE83E23} - hxxps://bdr139008.bmcgroup.com/BulkPrint.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\jkshfuiehi.dll: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - c:\windows\system32\jkshfuiehi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-12 130936]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-4 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-4 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-7-10 138680]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-12 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-12 1095560]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-7-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-7-10 352920]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\peter blauvelt\desktop\vcdrom.sys --> c:\documents and settings\peter blauvelt\desktop\VCdRom.sys [?]
S2 gupdate1c98abb8f7feb94;Google Update Service (gupdate1c98abb8f7feb94);c:\program files\google\update\GoogleUpdate.exe [2009-2-9 133104]
S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2007-8-20 10368]
S3 GoogleDesktopManager-051608-133132;Google Desktop Manager 5.7.805.16405;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-5-28 29744]
S3 GTKCMOS;GTKCMOS;c:\windows\system32\GTKCMOS.sys [2004-6-15 7882]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]

=============== Created Last 30 ================

2009-05-12 00:14 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-12 00:13 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-12 00:13 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-12 00:13 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-12 00:13 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-12 00:13 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-12 00:13 <DIR> --d----- c:\docume~1\peterb~1\applic~1\PC Tools
2009-05-12 00:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-09 10:20 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-08 08:44 2 a------- C:\-1736710645
2009-05-08 08:43 15,000 a------- c:\windows\system32\jkshfuiehi.dll
2009-04-30 19:02 <DIR> --d----- c:\program files\common files\DivX Shared
2009-04-29 15:19 421,888 a------- c:\windows\system32\ac3filter.acm
2009-04-29 15:19 <DIR> --d----- c:\program files\AC3Filter
2009-04-29 15:00 815,104 a------- c:\windows\system32\xvidcore.dll
2009-04-29 15:00 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-04-29 15:00 77,824 a------- c:\windows\system32\xvid.ax
2009-04-29 15:00 <DIR> --d----- c:\program files\Xvid
2009-04-16 09:43 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 09:43 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 09:43 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 09:43 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 09:43 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-16 09:43 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-16 09:43 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 09:43 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 09:43 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 09:43 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 09:26 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-16 09:26 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-16 09:26 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-15 16:24 90,112 a------- c:\windows\system32\dpl100.dll
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx0c.dll
2009-04-15 16:24 823,296 a------- c:\windows\system32\divx_xx07.dll
2009-04-15 16:24 815,104 a------- c:\windows\system32\divx_xx0a.dll
2009-04-15 16:24 802,816 a------- c:\windows\system32\divx_xx11.dll
2009-04-15 16:24 684,032 a------- c:\windows\system32\DivX.dll
2009-04-14 18:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lexmark 7600 Series

==================== Find3M ====================

2009-05-09 10:20 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-04-04 22:03 11,712 a------- c:\windows\system32\nvModes.dat
2009-03-24 07:03 7,808 a------- c:\windows\system32\drivers\psi_mf.sys
2009-03-21 10:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-11-07 16:00 60,744 a------- c:\documents and settings\peter blauvelt\g2mdlhlpx.exe
2007-11-20 18:33 25,600 -------- c:\documents and settings\peter blauvelt\usbsermptxp.sys
2007-11-20 18:33 22,768 -------- c:\documents and settings\peter blauvelt\usbsermpt.sys
2007-11-20 18:24 5,936 -------- c:\documents and settings\peter blauvelt\mqdmwhnt.sys
2007-11-20 18:24 92,064 -------- c:\documents and settings\peter blauvelt\mqdmmdm.sys
2007-11-20 18:24 79,328 -------- c:\documents and settings\peter blauvelt\mqdmserd.sys
2007-11-20 18:24 66,656 -------- c:\documents and settings\peter blauvelt\mqdmbus.sys
2007-11-20 18:24 9,232 -------- c:\documents and settings\peter blauvelt\mqdmmdfl.sys
2007-11-20 18:24 6,208 -------- c:\documents and settings\peter blauvelt\mqdmcmnt.sys
2007-11-20 18:24 4,048 -------- c:\documents and settings\peter blauvelt\mqdmcr.sys
2007-09-25 16:05 60,968 -------- c:\documents and settings\peter blauvelt\GoToAssistDownloadHelper.exe
2008-08-26 12:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 8:12:21.45 ===============
Attached File  Attach.txt   13.41KB   8 downloads

BC AdBot (Login to Remove)

 


#2 blauvvy

blauvvy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:New England USA
  • Local time:01:57 PM

Posted 13 May 2009 - 05:21 PM

Hi, this is just and update that I hope will help someone to help me!

1. The infection is NOW trying to send massive amounts of emails, mostly related to a solicitation for "low cost handbags" and "cheap Prada for sale" and similar. Avast appears to be catching these because they contain LARGE numbers of addressees, so Avast is flagging them as potentially inappropriate and giving me alert that allows me to choose "Don't Send!". There are massive amounts of these though, so I am suffering a full-scale hijack of my system!

2. My newly installed PC Tools Spyware Doctor is ALSO catching lots of stuff. All SORTS of different infections are being reported including: Rootkit.Agent.EY, Trojan-Downloader.Agent.OGP, tracking cookies, etc.

3. Avast ALSO periodically reports infectious files and they are typciall STORED in: c:/Docs_Settings/MyUserName/LocalSettings/Temp (I'm paraphrasing the exact syntax, but you get the picture)

4. In ALL CASES, both Avast and Spyware Doctor "appear" to have caught and cleaned, then request a reboot with boot scan (not sure this always happens).... BUT THE INFECTION PERSISTS AND SEEMS TO BE GETTING WORSE!

I'm really in trouble here! Please help if you can! Thanks so much!!

blauvvy
===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 13 May 2009 - 08:01 PM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:57 PM

Posted 26 May 2009 - 12:01 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 blauvvy

blauvvy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Location:New England USA
  • Local time:01:57 PM

Posted 26 May 2009 - 01:12 PM

Hello,

PLEASE MARK THIS ONE RESOLVED...

Thanks for the reply. I understand you are all volunteers and I appreciate your help very much. However, because of my desperation I elected an alternate route. This was a REALLY horrific infection for me. I'm not sure I can adequately describe everything, but just for the benefit of others, I thought I would give a brief synopsis.

First... SYMPTONS:
The infection disabled, systematically, many of the security features on my laptop, including: MS Windows firewall shutdown and rendered unable to restart, MS Windows update shutdown and rendered unable to restart, all NETWORK connections damaged or disrupted in a way that was not easily recoverable; A/V software (avast! 4.8 pro in my case) constantly scanning and finding things, but unable to completely clear the infection. At various times, I had reports of the original mentioned infection, as well as countless adware / spying cookies, and then reports of many other seemingly unrelated infections (see attached avast log for an idea of what occurred.

What I ended up doing:
After countless unsuccessful scans and "cleanings" by avast, Spyware Doctor, and other free online tools such as Kaspersky, and also AFTER all of my network connectivity was damaged and not recoverable, I finally decided to reach out directly to Microsoft. They were no help as first, telling me I had to have network connection (!) to be helped by them. So on my own, I was able to boot from my original Windows XP Pro SP1 dvd, and perform a "repair" installation (also known as an inplace upgrade, I think?) This worked, but of course is did away with SP2 and SP3 as well as about 100 or so other Windows Updates. However, I had basic networking back in place. I then recontacted MS and they actually took remote control of my machine, performed their online scan and a whole bunch of other third-part clean up utilities, which I can't even begin to name. This action (over the space of THREE FULL DAYS OF SCANNING AND CLEANING) finally recovered all the basic functions of XP, including firewall and windows update. Once done, it then took me another TWO FULL DAYS of constant attention to recover all of the SP2, SP3 and other updates via Windows update.

I'm sorry I can't be more precise in my description, I know the above is probably not much help to anyone else facing the same type of infection.

In retrospect, all I can say is:
1. Stay OFF of any websites that are not known to you to be under the control of reputable brand-name firms.
2. NEVER connect to the internet (or an unknown) network via a Administrator account (I can't prove it, but I suspect this was a huge part of my unsafe surfing problem!)
3. NEVER click links or open emails from unknown parties no matter what.

IN closing, I also can't prove this, but I have a suspicion the infection came in as a fake component of JAVA, perhaps a viral dll file or script or BHO or something of that nature. Not sure why, but it seemed to start when I was doing something with JAVA. Sorry I can't pinpoint it closer than that.

Thanks again to all the dedicated volunteers and other interested parties that form this community! I may not have received a direct solution from here, due to my own inpatience, but I certainly appreciate all of the other posts I reviewed to help get me pointed in the right direction.

Warm regards,

blauvvy

Attached Files



#5 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:57 PM

Posted 26 May 2009 - 01:14 PM

Thanks for informing us what you have done.

Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users