Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unidentified infection??


  • This topic is locked This topic is locked
4 replies to this topic

#1 Hatski

Hatski

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 23 September 2009 - 11:22 AM

Hi, first, what an outstanding Forum - it certainly seems as if you try your best to help everyone who asks and I am hoping someone can do the same for me. To explain:
I use an HP Compaq nx7300 for working from home but it belongs to work. The other morning, on waking it from Standby, suddenly I was getting DLL errors warning of Bad Images, specifically with McAfee Enterprise edition, and also a dos screen popping up for a split second, followed by another relating to SMAXpnp (Soundmax). Somehow my Outlook would no longer work properly and worse, McAfee was disabled and I couldn't enter it at all. I am not a novice but admit I have only basic technical knowledge but the first thing I thought was Virus! I ran a check with Spyware Terminator which showed nothing. As I couldn't get into McAfee I first tried Trend Micro's online scanner, Housecall, but every time I tried to start the scan my browser (FF) shut down immediately. I then tried (in no particular order): system resore, Norman, F-Secure's online scanner & Blacklight anti-rootkit, Eset's online scanner, CCleaner and Free Windows Registry Repair 2.0 - they all came back saying I'm NOT infected.
In despair I tried uninstalling the McAfee A/V and then installing COMODO Internet Security. This went through the installation as normal but again, does not actually fire up; instead I get a Bad Image error message and I get similar messages when trying to access various programs (although I can get on the internet ok). Last but not least, my Power Options will not work either, giving a similar message.
As a last shot, I tried scanning with Spybot S+D which actually found something - MyWebSearch, which it listed as a Trojan. I cleaned and then scanned again but it appeared to be still there and so I tried MalwareBytes and this reported 6 entries for adware.mywebsearch which I cleaned, scanned again and MBAM reported that it would have to remove the infection on startup, which I tried and to all intents and purposes has worked, but I am still getting these Bad Image messages and still cannot run any A/V and many other programs. The main error I get is: "The application or DLL c:\WINDOWS\system32\MFC42.DLL is not a valid Windows image. Please check against installation diskette".
I do not know what to do and do not want to ring work's IT guy in case I get into trouble for contracting a virus. Therefore, I have run Root Repeal and HJT and include their Logs below, along with a report from MBAM. I sincerely hope someone can help me and thank you all in advance.

ROOT REPEAL LOG:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/23 15:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAA255000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA932A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Administrator\My Documents\My Lockbox\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\Easy Media Creator 10 Suite.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\Emergency Contact Sheet JAN 09.doc
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\My LastPass Vault.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\new downloads
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\NEW SERVER.RDP
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\REAL downloads
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\Shortcut to Internet.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\Simple File Shredder 3.lnk
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\TeamViewer 4.lnk
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\new downloads\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\REAL downloads\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: \\?\C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\*
Status: Could not enumerate files with the Windows API (0x00000005)!


Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\A Boxing KO Compilation.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Another Boxing KO Compilation.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward I pt 1.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward I pt 2.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward I pt 3.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward I pt 4.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward I pt 5.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 1.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\francesco's mediterranean voyage (ep1. part 5).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Mediterranean Voyage - Ep.2 (1 4).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Mediterranean Voyage Ep.2 (2 4).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Mediterranean Voyage Ep2 (3 4).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Mediterranean Voyage Ep2 (3 4)2.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Mediterranean Voyage Ep2 (4 4).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Venice Episode 1 Part 1.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Francesco's Venice Episode 1 Part 2.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\kick boxing miss hap.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Thumbs.db
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 3.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 4.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 5.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 6.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 1.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 2.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 3.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 4.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 5.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward III pt 6.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\football fight.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\francesco's mediterranean voyage (ep1. part 1).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\francesco's mediterranean voyage (ep1. part 2).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\francesco's mediterranean voyage (ep1. part 3).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\Boxing - Arturo Gatti v Micky Ward II pt 2.flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\My Documents\My Lockbox\Personal\RealPlayer Downloads\francesco's mediterranean voyage (ep1. part 4).flv
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\steve.gregory\Local Settings\Apps\2.0\1D48JAZE.CZD\9DJY7NBQ.QOJ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\steve.gregory\Local Settings\Apps\2.0\1D48JAZE.CZD\9DJY7NBQ.QOJ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b788e

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b70ec

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b6dce

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b8938

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b6ed8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b6fc2

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b7bbc

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b73f4

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b7526

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b6bfc

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b7b04

#: 274 Function Name: NtWriteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\sp_rsdrv2.sys" at address 0xaa4b770c

==EOF==

MBAM Log:

Malwarebytes' Anti-Malware 1.41
Database version: 2849
Windows 5.1.2600 Service Pack 3

23/09/2009 13:50:13
mbam-log-2009-09-23 (13-49-57).txt

Scan type: Quick Scan
Objects scanned: 124984
Time elapsed: 8 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Last thing I did, which was HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:49, on 23/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Verdiem\Edison\edsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\Sminst\Recguard.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Documents and Settings\Administrator\Desktop\SECURITY\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: LastPass Browser Helper Object - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files\LastPass\LPBar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files\LastPass\LPBar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = whizzgo.internal
O17 - HKLM\Software\..\Telephony: DomainName = whizzgo.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = whizzgo.internal
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0125211252944278) (0125211252944278mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\012521~1.EXE (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Edison Power Management Service (edsvc) - Verdiem - C:\Program Files\Verdiem\Edison\edsvc.exe
O23 - Service: FSPro Filter Service (fsproflt) - FSPro Labs - C:\WINDOWS\system32\fsproflt.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe
O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SessionLauncher - Nokia. - (no file)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Performance Logs and Alerts (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe

--
End of file - 10359 bytes


I have also uploaded two screenshots of the errors I am getting.

Many many thanks!

PS: My Lockbox is from Steganos and a trusted program. I tried uninstalling this before running the above, but I again get a Bad Image message and cannot do anything with it.

Attached Files


Edited by Hatski, 24 September 2009 - 07:58 AM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 PM

Posted 10 October 2009 - 08:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 Hatski

Hatski
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 13 October 2009 - 07:07 AM

Hi Etavares,

Apologies for my delay in replying - I have since had another laptop get infected for no apparent reason, this has meant that I have been unwilling to do anything on the net for a while until I was sure that my security settings were correct and that my USB memory sticks weren't infected, etc. I have to say that these incidents have almost completely shaken my confidence in the internet and I have stopped doing any kind of online banking or shopping - hell, if viruses can still attack me after taking all precautions then I don't even want to use my email!!?? :(

The work machine that I had the original problem with has since been stolen (fat lot of good it will do them!) but since I am having virtually a carbon copy of the problem on the other laptop, do you mind if I run the program on that machine and post the results with a new explanation? I appreciate that this may not be Forum etiquette but while I have you, I am unwilling to let you go and have to wait again for weeks!

Kind regards,
H.

Edited by Hatski, 13 October 2009 - 07:13 AM.


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:43 PM

Posted 14 October 2009 - 09:22 PM

Hi Hatski,

Please create a new thread. Many folks Google these threads when they have similar issues and having a log from two computers will confuse the issue. We like to keep it clear and in the forums to help as many people as we can.

Thanks!


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:43 PM

Posted 24 October 2009 - 03:14 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users