Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Protection System and TDSS Variant


  • This topic is locked This topic is locked
18 replies to this topic

#1 Lonegungirl

Lonegungirl

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 29 July 2009 - 11:49 PM

Hi. I have been getting help from rigel over in the "Am I Infected?" forum, Topic referenced is here: http://www.bleepingcomputer.com/forums/t/243208/trouble-getting-ride-of-protection-system/ ~ OB but he has suggested I post over here, as they were unable to totally remove it with the tools available to them. The link to the thread is . I have taken no actions not detailed in the thread since it started, and I have been using Safari solely as a browser, since the one time I tried using IE to install Eset, it unleashed its bucketload of porn.

DDS log:

DDS (Ver_09-06-26.01) - NTFSx86
Run by jnymd at 20:30:36.75 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.170 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Safari\Safari.exe
svchost.exe C:\WINDOWS\TEMP\VRT2.tmp
svchost.exe C:\WINDOWS\TEMP\VRT12.tmp
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
svchost.exe C:\WINDOWS\TEMP\VRT7D.tmp
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\jnymd\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = google.com
uSearch Bar = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.averatec.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MSN helper: {91704c3f-a675-4e0e-9fb7-b03e005edda7} - systran.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FFTI] c:\documents and settings\jnymd\application data\mozilla\firefox\profiles\zj52iqzl.default\extensions\{b13721c7-f507-4982-b2e5-502a71474fed}\ffti.exe /verysilent /suppressmsgboxes /norestart /destpath="c:\documents and settings\jnymd\application data\mozilla\firefox\profiles/zj52iqzl.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [DigiFast] c:\documents and settings\jnymd\application data\digifast\digifast.exe
dRun: [jnymd] c:\documents and settings\jnymd\jnymd.exe /i
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: AOL &Dictionary Search - file:///c:\program files\common files\aol\AOLSearch/AOLDictionary.htm
IE: AOL &Thesaurus Search - file:///c:\program files\common files\aol\AOLSearch/AOLThesauras.htm
IE: AOL &Video Search - file:///c:\program files\common files\aol\AOLSearch/AOLVideo.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Addiction by pogo - hxxp://game3.pogo.com/v/9.1.3.19/applet/addiction/addiction-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://pictures.aolcdn.com/ap/Resources/1.2.0.38b/cab/aolpPlugins.10.1.0.0.cab
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - hxxp://aolcc.aol.com/computercheckup/qdiagcc.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37998.6649305556
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jnymd\applic~1\mozilla\firefox\profiles\zj52iqzl.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: browser.startup.homepage - hxxp://join.123cashformula.com/track/NTI4MzEuNy42LjEyLjAuMC4wLjA
FF - component: c:\documents and settings\jnymd\application data\mozilla\firefox\profiles\zj52iqzl.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar3.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\components\WWShow.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-25 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4e.tmp --> c:\windows\system32\4E.tmp [?]
S3 protect;protect;c:\windows\system32\drivers\protect.sys [2009-7-28 18944]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]

=============== Created Last 30 ================

2009-07-29 20:26 54,784 a------- c:\windows\system32\drivers\UACd.sys
2009-07-29 20:26 2,385 a------- c:\windows\system32\kjnd
2009-07-29 20:26 30,720 a------- c:\windows\system32\systran.dll
2009-07-29 20:26 1 a------- c:\windows\system32\80.tmp
2009-07-29 20:25 84 a------- c:\windows\system32\7F.tmp
2009-07-28 17:45 2,090 a------- c:\windows\system32\tmp.reg
2009-07-28 17:31 42,488 ----h--- c:\documents and settings\jnymd\jnymd.exe
2009-07-28 17:25 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-07-28 17:25 53,248 a------- c:\windows\system32\18.tmp
2009-07-28 17:25 35,840 a------- c:\windows\system32\16.tmp
2009-07-28 17:25 120 a------- c:\windows\system32\13.tmp
2009-07-28 07:47 53,248 a------- c:\windows\system32\9.tmp
2009-07-28 07:47 35,840 a------- c:\windows\system32\7.tmp
2009-07-28 07:47 0 a------- c:\windows\system32\5.tmp
2009-07-28 07:46 120 a------- c:\windows\system32\3.tmp
2009-07-27 22:53 44 a------- c:\windows\system32\7A.tmp
2009-07-27 18:04 --d----- c:\docume~1\jnymd\applic~1\GetPrimo
2009-07-27 17:45 --d----- c:\program files\ESET
2009-07-27 17:28 44 a------- c:\windows\system32\65.tmp
2009-07-27 17:27 0 a------- c:\windows\SC.INS
2009-07-26 20:14 44 a------- c:\windows\system32\5A.tmp
2009-07-26 18:04 44 a------- c:\windows\system32\14.tmp
2009-07-25 09:47 -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-25 09:46 --d----- c:\program files\SUPERAntiSpyware
2009-07-25 09:46 --d----- c:\docume~1\jnymd\applic~1\SUPERAntiSpyware.com
2009-07-25 09:45 --d----- c:\program files\common files\Wise Installation Wizard
2009-07-24 22:28 40 a------- c:\windows\system32\11.tmp
2009-07-24 22:28 88 ac------ C:\Make Money Online.url
2009-07-24 22:28 70 ac------ C:\Girls on your desktop.url
2009-07-24 12:51 --d----- c:\docume~1\jnymd\applic~1\Malwarebytes
2009-07-24 12:51 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-24 12:51 -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-24 12:51 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-24 02:19 40 a------- c:\windows\system32\C8.tmp
2009-07-24 00:19 40 a------- c:\windows\system32\AE.tmp
2009-07-23 19:55 --d----- c:\program files\Sophos
2009-07-23 19:48 40 a------- c:\windows\system32\60.tmp
2009-07-22 18:33 40 a------- c:\windows\system32\4D.tmp
2009-07-21 19:04 --d----- c:\documents and settings\jnymd\DoctorWeb
2009-07-21 01:58 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-21 01:11 40 a------- c:\windows\system32\17.tmp
2009-07-20 22:30 --d----- c:\program files\XPC Tools
2009-07-20 22:30 --dsh--- c:\documents and settings\jnymd\PrivacIE
2009-07-20 22:17 785,920 a------- c:\windows\system32\wscsvc32.exe
2009-07-20 22:17 257,536 a------- c:\windows\system32\resdll.dll
2009-07-20 20:51 --d----- c:\program files\iXi Tools
2009-07-20 20:09 --d----- c:\program files\SystemRequirementsLab
2009-07-19 20:58 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-14 19:06 --d----- c:\program files\meta-iPod, the iTunes Cleaner
2009-07-12 20:10 --d----- c:\program files\iTunes
2009-07-12 18:00 --d----- c:\program files\4Media
2009-07-12 16:07 --d----- c:\program files\Joboshare
2009-07-12 02:14 --d----- c:\program files\Pod to PC
2009-07-11 02:00 129,520 -------- c:\windows\system32\pxafs.dll
2009-07-11 00:54 --d----- c:\program files\PeerGuardian2
2009-07-10 23:04 12 a------- c:\windows\msoffice.ini
2009-07-10 22:15 --d----- c:\program files\uTorrent
2009-07-10 22:14 --d----- c:\docume~1\jnymd\applic~1\uTorrent
2009-07-09 19:39 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-07-09 19:39 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-07-09 19:39 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-07-09 19:39 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-07-09 19:38 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-07-09 19:38 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-07-04 12:36 --dsh--- c:\documents and settings\jnymd\IETldCache
2009-07-04 12:26 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-04 12:23 --d----- c:\windows\ie8updates
2009-07-04 12:17 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-04 12:17 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-04 12:02 -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-07-07 17:38 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-04 11:12 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 06:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 06:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-05 11:42 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-05 11:42 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 11:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-12 21:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 07:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 10:30 3,387,392 a------- c:\windows\system32\GPhotos.scr
2008-04-11 23:00 651,264 ac------ c:\documents and settings\jnymd\GoToAssist_chat2way__317_en.exe
2004-01-05 15:55 61,440 a------- c:\program files\Uninstall_CDS.exe
2008-07-29 11:08 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072920080730\index.dat

============= FINISH: 20:32:50.25 ===============

Thanks for any assistance!

Attached Files


Edited by Orange Blossom, 29 July 2009 - 11:53 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 30 July 2009 - 12:39 AM

Hello Lonegungirl,

Posted Image

I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! :thumbup2:

If McAfee still gives you problems then you may have to temporarily uninstall it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 30 July 2009 - 01:18 AM

Hi--thank you for responding!

I downloaded ComboFix, disabled my resident protective programs and double clicked ComboFix, but it's giving me an error message that says "!!Alert!! It is not safe to continue! The contents of the ComboFix package has been compromised. Please download a fresh copy from http://www.bleepingcomputer.com/combofix/how-to-use-combofix. Note: You may be infected with a file patching virus 'Virut'"

I just wanted to double check it, since I no longer believe anything my computer tells me.

Thanks!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 30 July 2009 - 02:02 AM

Oh dear :thumbup2: You may very well have Virut then. :) Can you get HijackThis so I can have a look? There are a ton of baddies in the DDS you posted, but I'd like to be sure before I tell you you have anything as dire as Virut.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 30 July 2009 - 02:32 AM

The computer is again stopping me from opening the bleepingcomputer webpage (it was doing that early on in the infection.) Should I run Malwarebytes again? That seemed to be the only thing that would even temporarily fix it.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 30 July 2009 - 03:21 AM

Can you post the report it makes, and also get a HijackThis log? :)

I know it's frustrating. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 30 July 2009 - 10:58 AM

OK, here's the Malwarebytes report, if it helps:

Malwarebytes' Anti-Malware 1.39
Database version: 2517
Windows 5.1.2600 Service Pack 3

7/30/2009 7:21:11 AM
mbam-log-2009-07-30 (07-21-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 182603
Time elapsed: 2 hour(s), 54 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91704c3f-a675-4e0e-9fb7-b03e005edda7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{91704c3f-a675-4e0e-9fb7-b03e005edda7} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D3 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\pr (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\BN (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\gd (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D1 (Spyware.Ambler) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MSN\D2 (Spyware.Ambler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\jnymd\local settings\temporary internet files\Content.IE5\J2SVLYDK\lo[1].htm (Trojan.Cutwail) -> Quarantined and deleted successfully.
c:\documents and settings\jnymd\local settings\temporary internet files\Content.IE5\XOL8SB72\abb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\16.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\C7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\7.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\BN3B.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

I am trying to download the HiJackThis installer, however it keeps stalling at 110 Kb. I'll keep it downloading while I go to work.

Thanks!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 30 July 2009 - 11:02 AM

Thanks, and post when you're ready. :) Have a good day at work. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 30 July 2009 - 09:42 PM

OK, finally managed to get the hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:06, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Safari\Safari.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\jnymd\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\jnymd\Application Data\Mozilla\Firefox\Profiles\zj52iqzl.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\jnymd\Application Data\Mozilla\Firefox\Profiles/zj52iqzl.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DigiFast] C:\Documents and Settings\jnymd\Application Data\digifast\digifast.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jnymd] C:\Documents and Settings\jnymd\jnymd.exe /i (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: AOL &Dictionary Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLDictionary.htm
O8 - Extra context menu item: AOL &Thesaurus Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLThesauras.htm
O8 - Extra context menu item: AOL &Video Search - file:///C:\Program Files\Common Files\aol\AOLSearch/AOLVideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: Addiction by pogo - http://game3.pogo.com/v/9.1.3.19/applet/ad...ction-en_US.cab
O16 - DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} (AOL Pictures Uploader Class) - http://pictures.aolcdn.com/ap/Resources/1....ns.10.1.0.0.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applicatio...torLauncher.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10276 bytes

Thanks for all the help! I really appreciate it!

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 30 July 2009 - 11:44 PM

Thank you.....that's great! :thumbup2: You're most welcome. :)

I'm going to ask that you uninstall McAfee for now. I really think that's the problem here. We have to get at that rootkit, and having 2 anti virus programs, especially McAfee, isn't helping us at all.

Download the removal tool from http://download.mcafee.com/products/licens...atches/MCPR.exe
  • Click Save and save the file to any folder on the computer.
  • Navigate to the folder where the file is saved.
  • Double-click MCPR.exe.
  • Click Run. A Command Line window will be displayed, and then close automatically. Wait for a second Command Line window to be displayed.
    Note: Do not double-click MCPR.exe again, you may have to wait up to 1 minute for the next window to appear.
    After the second window appears, the program will begin the cleanup.
  • Observe the installation, which could take several minutes. The following message will be displayed in the Command Line window:
    The machine must reboot to complete the un-installation. Reboot now? [y.n]
  • Press Y on the keyboard.
  • Wait for the computer to restart.
All McAfee products are now removed from your computer.
These McAfee removal instructions can be found at http://ts.mcafeehelp.com/faq3.asp?docid=408302

Then try to download ComboFix again and run it. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 31 July 2009 - 01:00 AM

Well, I uninstalled McAfee and restarted without problems, and then downloaded ComboFix uneventfully, but when I click on it, I get the same message again that it isn't safe to continue because the ComboFix package has been compromised. I tried downloading it from both links, but I still get the same thing. Ugh.

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 31 July 2009 - 01:03 AM

Try renaming ComboFix.exe to Lonegungirl.exe and see if that lets it run. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 31 July 2009 - 01:23 AM

I saved it as lonegungirl.exe, but when I tried to run it, it still gives me the "compromised package" message. After clicking "ok" on the message, the .exe file disappears off the desktop each time--I have no idea to where.

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:24 AM

Posted 31 July 2009 - 01:45 AM

It's all right.......or I should say, it's not anything you're doing wrong. We already know you have several bad guys on the system, one of those being a rootkit. There is also evidence that you do have Virut because of ComboFix's warnings. With your system so severely infected it may be better to start over. With Virut, you have no choice but to start over. Here's why :

Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.


http://home.mcafee.com/VirusInfo/VirusProf...aspx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)


Miekiemoes, one of our team members here and an MS-MVP, additionally has a blog post about Virut.

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Lonegungirl

Lonegungirl
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 31 July 2009 - 03:24 AM

Well, that's disappointing, but I suppose not entirely unexpected, given the difficulty everyone's been having. My problem is that I'm working away from my home base for a month or so, so I don't have any disks to restore with. Also, if I have files like photos or word documents on the laptop, is it safe to move them to online storage? Or will they re-infect any computer I bring them back onto?

I haven't had the computer online except to download the various anti-virus programs, but is it aggravating it just to have it on? If I can't reformat it until I get back, should I just leave it off? Or try to get whatever files I can off now? In the meantime, is it worth it to try some of the measures people reported successful in the comments of Miekiemoes' blog?

What a bummer. But I suppose it's better to know, after all. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users