Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinPC Antivirus


  • Please log in to reply
1 reply to this topic

#1 devans725

devans725

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:42 AM

Posted 14 May 2009 - 04:53 PM

I am using Windows XP pro. When I first saw the computer it was frozen with a couple WinPC windows open; one about the firewall and another reporting infections. I had to hard restart. After doing so, while loading the user profile I got the BSOD IRQ_NOT_LESS_THAN_OR_EQUAL. Rebooted again. As it loads the user profile settings WinPC takes over and the computer slows to a halt. Rebooted into safemode. While in safe mode I tried installing MalwareBytes but nothing happens, it won't install. From a suggestion I found on the MalwareBytes forum, I tried renaming the install file but it still wouldn't install. I then opened Adaware which I had already installed on the computer. After updating it I ran a full scan, it found like 5 trojans and removed them. Tried restarting the computer and the same thing happens with WinPC. Tried installing MalwareBytes a couple more times for fun. Now I am here. Following are the results from DDS, thank you.


DDS (Ver_09-05-14.01) - NTFSx86 NETWORK
Run by Administrator at 16:06:29.98 on Thu 05/14/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070202
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WinInet Class: {39fc2065-c9c7-49cd-8942-44cc2dedc844} - c:\windows\ieocx.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! uC: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [PMX Daemon] ICO.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [<NO NAME>]
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} - hxxps://accounting.quickbooks.com/c3/v18.157/qboax10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {43706EA8-B5E5-40D9-ADEA-05FBE02DE2CA} = 192.168.0.9
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-14 09:38 28,672 a------- c:\windows\ieocx.dll
2009-05-04 08:17 268 a---h--- C:\sqmdata03.sqm
2009-05-04 08:17 244 a---h--- C:\sqmnoopt03.sqm
2009-05-01 08:05 244 a---h--- C:\sqmnoopt02.sqm
2009-05-01 08:05 232 a---h--- C:\sqmdata02.sqm
2009-04-15 06:56 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 06:56 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 06:56 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 06:56 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 06:56 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 06:56 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 06:56 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 06:56 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 06:56 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 06:56 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 06:49 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 06:49 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-15 06:49 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-03-21 09:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-13 16:46 87,779 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-13 16:22 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 23:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 05:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 00:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll

============= FINISH: 16:07:48.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:42 AM

Posted 24 May 2009 - 01:56 PM

Hello devans725.

If the same issues are still present, and also if you have not gotten help elsewhere, then do the following:

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
Posted Image
If you are a a casual viewer, do NOT try this on your system!
If you are not devans725 and have a similar problem, do NOT post here; start your own topic[/color]

Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

NOTE: If any rogue program pops up, use this method to close it:
Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.
Repeat as needed.

=
Let's have you create a restore point (at this time).
1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. If there is a check mark next to "Turn off System Restore on all drives", then click on the line to clear it.
4. If C is your system drive (as it is in most cases) and you see other drives monitored in the list (like D, E, etc) click on the other drives, press Settings button, and get the other drives turned off.
5. we only want to monitor the drive with Windows o.s.
If you are unable to activate System Restore or if the service is disabled, then.....
from the Start button > RUN option .... type in
services.msc

look for System Restore service
If it is listed as off or inactive, press on the link at top left to Start it.

Next, See and do as outlined here http://bertk.mvps.org/html/createrp.html

After that, also do this:
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Next:
If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri) :hand: Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.417 as of this post).
Extract the contents of the exe file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual user account.
1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:
  • process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  • Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected
=

Be sure to reboot the system when you reach this point, and get to Normal mode Windows XP.

Disable any script blocker if your antivirus/antimalware has it.
Redo the steps for a new run of DDS

Reply with a copy of the C:\rapport.txt
and DDS.txt
and Attach.txt
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users