Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with ntoskrnl-hook and desot.exe


  • This topic is locked This topic is locked
54 replies to this topic

#1 EdnaSue

EdnaSue

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 24 August 2009 - 08:09 PM

I'm not sure if you need all the details of how I got to this point, so I won't add them unless you ask. I'll just summarize by saying I scanned and cleaned down to only having ntoskrnl-hook which nothing seemed to be able to remove, then was attacked by Windows Antivirus Pro, twice. Now I am seemingly back to ntoskrnl-hook which nothing seems to be able to stop and I still am thinking something from Window Antivirus Pro may be lurking hidden away... something named desot.exe was the file that seemed to be attacking everything. I deleted it. Also I get a Blue screen when I shut down, except in safe mode. I do not have the text of the blue screen but will bet it next time I shut down. I have ran DDS and RootRepeal and have the logs. Any help is appreciated. THANKS

Below is my DDS.txt log per the instructions on the preparation guide and the Attach and ark files are attached.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Edna at 20:33:35.17 on Mon 08/24/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1193 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Leapfrog\FlyWorld\bin\FlyMonitor.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\PROGRA~1\COMMON~1\AOL\121061~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\121061~1\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Documents and Settings\Edna\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: {54618083-CD6C-4C2A-8B81-F6D715273988} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {e8818d15-def6-42d7-a904-2af09059f9b9} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McAfee Backup] "c:\program files\mcafee\mbk\McAfeeDataBackup.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FlyMonitor] "c:\program files\leapfrog\flyworld\bin\FlyMonitor.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HostManager] c:\program files\common files\aol\1210612550\ee\AOLHostManager.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-8-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 74480]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-22 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-22 144704]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-5-12 105984]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-22 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-22 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-22 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-22 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-22 40552]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-2-4 18560]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 7408]

=============== Created Last 30 ================

2009-08-20 22:36 368 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-08-20 22:35 792 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-08-19 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-08-19 23:21 <DIR> --d----- c:\program files\common files\iS3
2009-08-19 23:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-08-18 23:24 <DIR> --dsh--- c:\documents and settings\edna\PrivacIE
2009-08-18 23:09 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-08-18 23:09 12,160 a------- c:\windows\system32\dllcache\mouhid.sys
2009-08-18 23:09 21,504 a------- c:\windows\system32\hidserv.dll
2009-08-18 23:09 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-08-18 23:08 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-08-18 23:08 10,368 a------- c:\windows\system32\dllcache\hidusb.sys
2009-08-18 23:01 <DIR> --d----- c:\docume~1\edna\applic~1\SUPERAntiSpyware.com
2009-08-18 22:39 <DIR> --d----- c:\docume~1\edna\applic~1\Malwarebytes
2009-08-17 21:08 <DIR> --dsh--- c:\documents and settings\edna\IETldCache
2009-08-17 21:08 <DIR> --d----- c:\docume~1\edna\applic~1\You've Got Pictures Screensaver
2009-08-17 21:08 <DIR> --d----- c:\docume~1\edna\applic~1\Symantec
2009-08-17 21:08 <DIR> --d----- c:\docume~1\edna\applic~1\AOL
2009-08-17 21:08 <DIR> --d----- c:\documents and settings\Edna
2009-08-17 20:11 5 a------- c:\windows\system32\drivers\DELL_INS_1525.MRK
2009-08-17 20:11 666 a------- c:\windows\speed.reg
2009-08-17 20:08 <DIR> --d----- c:\windows\system32\vmm32
2009-08-16 23:37 61,440 a------- c:\windows\system32\drivers\ljzub.sys
2009-08-16 23:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-08-16 23:31 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-08-16 23:28 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 23:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-16 23:28 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-16 23:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-15 22:38 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-08-19 23:18 8,844 a------- c:\program files\sapztkar.txt
2009-08-17 20:11 5 a------- c:\windows\system32\drivers\1028_Dell_INS_1525.mrk
2009-01-09 23:09 2,807 a--sh--- c:\windows\system32\DLRsAJlm.ini2
2008-12-23 10:02 880,016 a--sh--- c:\windows\system32\JRuuvyay.ini2

============= FINISH: 20:35:39.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 26 August 2009 - 04:42 PM

Hello EdnaSue,

I am coming in late here, as you have already been deleting files. I have no idea of what fiels you deleted and why. :thumbup2:
  • Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
  • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
  • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.
****************

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

****************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"
Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 26 August 2009 - 04:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 26 August 2009 - 09:08 PM

I'm sorry if I was confusing. I deleted the desot.exe file in an effort to get back the ability to open .exe files. This is what I did when I was trying to solve the problems myself before I asked for help. The post you read was my first one.

Deleting desot.exe did work, however after I ran the logs and posted, now I can no longer access the internet from that computer so I can not download to it. I have not changed anything since so I'm sure that either the ntsokrnl-hook or the Windows Antivirus Pro are still working in the background. The computer is now disconnected from the internet cable and shutdown. Is there anything else I can try?


Over the last two weeks (when I could still connect to the internet) I ran McAfee, Malwarebytes Anti-Malware, and SuperAnti-spyware products -- all multiple times.


Thanks.
EdnaSue

Edited by EdnaSue, 26 August 2009 - 09:14 PM.


#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 26 August 2009 - 09:15 PM

Hi EdnaSue,


however after I ran the logs and posted, now I can no longer access the internet from that computer so I can not download to it.


What logs are you refering to? The three logs I asked you to post?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 26 August 2009 - 09:20 PM

Hi EdnaSue,

Please do not edit your previous posts, as I will probably miss that. I dont usually go back and read the older posts unless I really need to.

Since you dont have Internet access on the infected computer,
download the programs (mbr.exe and SecurityCheck.) on a clean computer and tranfer it via USB flash drive to the infected computers Desktop. 
Then follow my instructions to run them.

Even though you have run Malwarebytes previously, run it again and post the log.

Edited by SifuMike, 26 August 2009 - 09:52 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 26 August 2009 - 09:26 PM

I'm refering to the logs the preparation guide on the forum told me to post. DDS, Rootrepeal I followed all the steps that it layed out.

I posted the DDS.txt log
and the Attach and ark files were attached.

I can't download the ones you suggested as I can not get on the internet on that computer now.

thanks

Edited by EdnaSue, 26 August 2009 - 09:26 PM.


#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 26 August 2009 - 09:28 PM

Please read my previous post.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 26 August 2009 - 09:32 PM

Our replies are getting crossed.... I'll need to pick up a USB cable . Should I be concerned about the virus infecting the clean computer? I'll post again when I have the cable and have done this... thanks for your help. and I will be sure not to revise a post.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 26 August 2009 - 09:39 PM

Hi EdnaSue,

I'll need to pick up a USB cable



You dont need a USB cable :thumbup2:
Dont you have a USB flash drive? Just use that.

Here is what a USB flash drive is:

USB flash drive -A small, portable flash memory card that plugs into a computers USB port and functions as a portable hard drive.
USB flash drives are touted as being easy-to-use as they are small enough to be carried in a pocket and can plug into any computer with a USB drive.
USB flash drives have less storage capacity than an external hard drive, but they are smaller and more durable because they do not contain any internal moving parts.
USB flash drives also are called thumb drives, jump drives, pen drives, key drives, tokens, or simply USB drives.





should I be concerned about the virus infecting the clean computer?


No, you will not be transfering any files other than the two programs I listed.

Long as you are just transfers those program via USB flash drive from the sites I list you will be OK.

We may neeed to transfer other programs via USB flash drive at a later time.

Edited by SifuMike, 26 August 2009 - 09:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 27 August 2009 - 10:35 PM

Thanks for your time on this. Here are the logs you requested.

*******************************************
mbr.txt

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

*******************************
checkup.txt

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!


``````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition
Malwarebytes' Anti-Malware
Java™ 6 Update 13
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent


McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe

``````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

*****************************************************

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/27/2009 11:07:11 PM
mbam-log-2009-08-27 (23-07-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 167778
Time elapsed: 22 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 27 August 2009 - 11:29 PM

Hi EdnaSue,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    J2SE Runtime Environment 5.0 Update 6
    Java™ 6 Update 13
    Java™ 6 Update 7

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.
***************************

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.

To Disable McAfeee Security Center
Posted Image

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 August 2009 - 12:05 AM

Hi SifuMike,

I could not install jxpiinstall.exe when I tried it there was an error saying it could not install with the current internet configuration. I did not have the internet cable attached since I was using the clean computer to access the internet. I went to java help and there was a offline version named jre-6u16-windows-i586 that they suggested to use instead.. so I used that one.

I followed the instructions to download Combofix, to the desktop of the clean computer. I have copied it to the infected computers desktop. I disabled all of the scanning software that I could find and even the firewall. McAfee still kept blocking the buffer overflows even with everything checked as disabled. To stop almost hundreds of these from popping up i had to chose to allow them.

When I double clicked on Combofix to run it, it went to the blue C: prompt screen and never went any farther. It never came up with any text in the screen or anything else indicating it was running and didn't progress at all according to what the instructions said it would say. Not knowing what to do about this after waiting an hour or more, I closed everything down and restarted. Then connected the internet cable to it, since later in the instructions it indicated that Combofix would be checking for the Microsoft windows Recovery Console, would download it if it wasn't there and that it would disconnect from the internet. I had hoped that this was why it was not running, but I tried it again and got the same results.

Not sure what to do now. Evidently there is something running that is blocking it. Or I have missed something else in the steps. I hope I haven't wrecked it by restarting and trying it again, but it never really got started doing anything.

is there anything else I can try?
thanks again for your help.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 29 August 2009 - 01:13 AM

Hi EdnaSue,

We will try running it a different way. It may be McAfee prevent it from running. :thumbup2:

Delete the ComboFix you have on your desktop. <== IMPORTANT


Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

You need to disable your McAfee SecurityCenter before running ComboFix, as it will prevent it from running.
If McAfee stops ComboFix from running then uninstall it; just dont surf the Internet as you will not virus protection. You can reinstall it after we are done using ComboFix.

To Disable McAfeee Security Center
Posted Image

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.  
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Edited by SifuMike, 29 August 2009 - 01:15 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 EdnaSue

EdnaSue
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:10:06 AM

Posted 29 August 2009 - 11:55 PM

Hi SifuMike,

I have followed your directions, including uninstalling McAfee. This time when I ran Combo-fix.exe the blue screen hung up after the words Please wait. ComboFix is preparing to run. I have now waited 33 minutes. Not sure how long this is supposed to take.

Thanks

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:06 AM

Posted 30 August 2009 - 12:27 AM

Hi EdnaSue,

Wait for at least an hour. If it does not start to run then reboot.

Try running ComboFix in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users