Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan issues virus also made desktop inactive


  • This topic is locked This topic is locked
35 replies to this topic

#1 funkecrates

funkecrates

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 15 October 2009 - 10:44 AM

Hello it is me again....... upon turning on my computer I am all of a sudden getting a white screen/ inactive desktop so I decided to run super antispyware, and malwarebytes anti malware I few items like trojans were detected and quarentined(sp?). So i figured that everything should have been ok so I rebooted my computer and I am still getting an inactive desktop, however when I log in as an administrator it is the normal active desktop.



DDS (Ver_09-10-13.01) - NTFSx86
Run by COOPRO01 at 11:15:53.48 on Thu 10/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uStart Page = hxxp://www.cmsdnet.net
uDefault_Page_URL = hxxp://www.cmsdnet.net
uInternet Settings,ProxyServer = proxy.cmsdnet.net:80
uInternet Settings,ProxyOverride = appsvr03;appsvr03.cmsdnet.net;appsvr04;appsvr04.cmsdnet.net;*.cmsd.net;*.cmsdnet.net;*.cleveland.k12.oh.us;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [AppMgrGui] c:\program files\appstream\windowsclient\bin\exeForService.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoMovingBands = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-disallowrun: 1 = *.msi
uPolicies-disallowrun: 2 = CMD.EXE
uPolicies-disallowrun: 3 = MSIMN.EXE
uPolicies-disallowrun: 4 = Setup.exe
uPolicies-system: Wallpaper = c:\windows\web\wallpaper\none.jpg
uPolicies-system: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://lnmail05.cleveland.k12.oh.us/dwa7W.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShExecHookLib Class: {2d0c3614-d550-4b6b-bf80-d83c4544d6ae} - c:\program files\appstream\windowsclient\bin\ShExecHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\coopro01\applic~1\mozilla\firefox\profiles\07kvi3ph.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLPrint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-15 09:33 <DIR> --d----- c:\docume~1\coopro01\applic~1\SUPERAntiSpyware.com
2009-10-05 08:37 <DIR> --d----- c:\docume~1\coopro01\applic~1\Malwarebytes
2009-10-01 17:29 <DIR> -cd-h--- c:\windows\ie8
2009-10-01 16:48 <DIR> --d----- c:\program files\SpywareBlaster
2009-10-01 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-01 16:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-01 16:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-30 21:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-30 10:01 <DIR> --d----- C:\Quarantine
2009-09-29 21:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 21:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-29 21:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 17:26 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-09-17 15:35 35,840 a------- c:\windows\system32\diag2.dll

==================== Find3M ====================

2009-10-15 10:02 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-15 10:02 56,680 a------- c:\windows\system32\rpcnet.dll
2009-09-30 21:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-30 21:06 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-30 17:58 56,680 a------- c:\windows\system32\rpcnet.exe
2009-09-08 07:05 51,784 a---h--- c:\windows\system32\mlfcache.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

============= FINISH: 11:16:41.96 ===============




DDS (Ver_09-10-13.01) - NTFSx86
Run by COOPRO01 at 11:15:53.48 on Thu 10/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uStart Page = hxxp://www.cmsdnet.net
uDefault_Page_URL = hxxp://www.cmsdnet.net
uInternet Settings,ProxyServer = proxy.cmsdnet.net:80
uInternet Settings,ProxyOverride = appsvr03;appsvr03.cmsdnet.net;appsvr04;appsvr04.cmsdnet.net;*.cmsd.net;*.cmsdnet.net;*.cleveland.k12.oh.us;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [AppMgrGui] c:\program files\appstream\windowsclient\bin\exeForService.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoMovingBands = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-disallowrun: 1 = *.msi
uPolicies-disallowrun: 2 = CMD.EXE
uPolicies-disallowrun: 3 = MSIMN.EXE
uPolicies-disallowrun: 4 = Setup.exe
uPolicies-system: Wallpaper = c:\windows\web\wallpaper\none.jpg
uPolicies-system: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://lnmail05.cleveland.k12.oh.us/dwa7W.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShExecHookLib Class: {2d0c3614-d550-4b6b-bf80-d83c4544d6ae} - c:\program files\appstream\windowsclient\bin\ShExecHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\coopro01\applic~1\mozilla\firefox\profiles\07kvi3ph.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLPrint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-15 09:33 <DIR> --d----- c:\docume~1\coopro01\applic~1\SUPERAntiSpyware.com
2009-10-05 08:37 <DIR> --d----- c:\docume~1\coopro01\applic~1\Malwarebytes
2009-10-01 17:29 <DIR> -cd-h--- c:\windows\ie8
2009-10-01 16:48 <DIR> --d----- c:\program files\SpywareBlaster
2009-10-01 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-01 16:36 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-01 16:35 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-09-30 21:59 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-30 10:01 <DIR> --d----- C:\Quarantine
2009-09-29 21:05 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-29 21:05 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-29 21:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-21 17:26 <DIR> --d----- c:\program files\Free RAR Extract Frog
2009-09-17 15:35 35,840 a------- c:\windows\system32\diag2.dll

==================== Find3M ====================

2009-10-15 10:02 17,408 a------- c:\windows\system32\rpcnetp.exe
2009-10-15 10:02 56,680 a------- c:\windows\system32\rpcnet.dll
2009-09-30 21:57 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-30 21:06 17,408 a------- c:\windows\system32\rpcnetp.dll
2009-09-30 17:58 56,680 a------- c:\windows\system32\rpcnet.exe
2009-09-08 07:05 51,784 a---h--- c:\windows\system32\mlfcache.dat
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

============= FINISH: 11:16:41.96 ===============

Attached Files


Edited by funkecrates, 15 October 2009 - 10:55 AM.


BC AdBot (Login to Remove)

 


#2 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:05:24 PM

Posted 28 October 2009 - 07:09 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.


If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
PW

#3 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 October 2009 - 08:01 AM

Hello and thanks for your assistance I am having sort of virus or malware issues whereas my desktop was made inactive and I cant figure out how to make it active once more. I ran malwarebytes anti malware, super anti spyware, and spyware blaster..... by running these programs some trojans where apparently discovered and quarentined(sp?) however I am still having issues with an inactive desk top and i am ot sure if my system is clean....


DDS (Ver_09-10-26.01) - NTFSx86
Run by COOPRO01 at 8:47:32.00 on Wed 10/28/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.live.com
uStart Page = hxxp://www.cmsdnet.net
uDefault_Page_URL = hxxp://www.cmsdnet.net
uInternet Settings,ProxyServer = proxy.cmsdnet.net:80
uInternet Settings,ProxyOverride = appsvr03;appsvr03.cmsdnet.net;appsvr04;appsvr04.cmsdnet.net;*.cmsd.net;*.cmsdnet.net;*.cleveland.k12.oh.us;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [AppMgrGui] c:\program files\appstream\windowsclient\bin\exeForService.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoControlPanel = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSetTaskbar = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoPropertiesRecycleBin = 1 (0x1)
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoMovingBands = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-disallowrun: 1 = *.msi
uPolicies-disallowrun: 2 = CMD.EXE
uPolicies-disallowrun: 3 = MSIMN.EXE
uPolicies-disallowrun: 4 = Setup.exe
uPolicies-system: Wallpaper = c:\windows\web\wallpaper\none.jpg
uPolicies-system: WallpaperStyle = 2
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://lnmail05.cleveland.k12.oh.us/dwa7W.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShExecHookLib Class: {2d0c3614-d550-4b6b-bf80-d83c4544d6ae} - c:\program files\appstream\windowsclient\bin\ShExecHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\coopro01\applic~1\mozilla\firefox\profiles\07kvi3ph.default\
FF - prefs.js: browser.startup.homepage - hxxp://att.my.yahoo.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLPrint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-20 23:20:18 0 d-----w- c:\program files\common files\xing shared
2009-10-20 23:19:47 0 d-----w- c:\program files\common files\Real
2009-10-15 13:33:40 0 d-----w- c:\docume~1\coopro01\applic~1\SUPERAntiSpyware.com
2009-10-05 12:37:32 0 d-----w- c:\docume~1\coopro01\applic~1\Malwarebytes
2009-10-01 21:29:33 0 dc-h--w- c:\windows\ie8
2009-10-01 20:48:34 0 d-----w- c:\program files\SpywareBlaster
2009-10-01 20:36:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-01 20:36:22 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 20:35:17 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-01 01:59:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-09-30 14:01:45 0 d-----w- C:\Quarantine
2009-09-30 01:05:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 01:05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 01:05:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-10-28 12:36:11 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-28 11:57:52 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-10-20 23:19:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-01 01:57:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:06:08 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-09-30 21:58:39 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-09-17 19:35:36 35840 ----a-w- c:\windows\system32\diag2.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 11:05:47 51784 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 8:48:05.26 ===============

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 28 October 2009 - 10:08 AM

Hello funkecrates,

And :( to the Bleeping Computer Malware Removal Forum[/b], My name is Elise. I'll be glad to help you with your computer problems.[/color]

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------
Please be patient and I'd be grateful if you would note the following:
  • The cleaning process is not instant. DDS logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem.

Please give me some time to review your logs and take the steps necessary with you to get your machine back in working order clean and free of malware.

Thanks and again sorry for the delay
.


You have quite some policies set here that disable all kind of windows components. Lets see if we can restore those.
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program. Note, if you get a message that the IE version could not be verified, just click OK.
  • Click on Fix Policies
  • Highlight all found entries and click the Remove button.
  • Exit/Close Dial-A-Fix
COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


In your next reply, please include the following:
  • Combofix.txt
  • Please let me know how things are running now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 05:56 AM

Hello and thanks for helping me out. The computer is running fine now and my desktop is no longer inactive!! The log is below:

ComboFix 09-10-28.06 - COOPRO01 10/29/2009 6:26.1.2 - NTFSx86
Running from: c:\docume~1\COOPRO~1.L09\LOCALS~1\Temp\fyf4z5bk.tmp\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\lsd_f3.dll
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-20 23:20 . 2009-10-20 23:20 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-20 23:19 . 2009-10-20 23:19 -------- d-----w- c:\program files\Real
2009-10-20 23:19 . 2009-10-20 23:20 -------- d-----w- c:\program files\Common Files\Real
2009-10-16 16:18 . 2009-10-16 16:18 -------- d-sh--w- c:\documents and settings\fieldtech\PrivacIE
2009-10-16 16:16 . 2009-10-16 16:16 -------- d-----w- c:\documents and settings\fieldtech\Application Data\Malwarebytes
2009-10-16 16:16 . 2009-10-16 16:16 -------- d-sh--w- c:\documents and settings\fieldtech\IETldCache
2009-10-15 13:33 . 2009-10-15 13:33 -------- d-----w- c:\documents and settings\COOPRO01\Application Data\SUPERAntiSpyware.com
2009-10-05 12:37 . 2009-10-05 12:37 -------- d-----w- c:\documents and settings\COOPRO01\Application Data\Malwarebytes
2009-10-01 21:29 . 2009-10-01 21:30 -------- dc-h--w- c:\windows\ie8
2009-10-01 20:48 . 2009-10-24 14:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 20:48 . 2009-10-24 14:37 -------- d-----w- c:\program files\SpywareBlaster
2009-10-01 20:36 . 2009-10-01 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-01 20:36 . 2009-10-14 21:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 20:36 . 2009-10-01 20:36 -------- d-----w- c:\documents and settings\COOPRO01.L099ADMN507885\Application Data\SUPERAntiSpyware.com
2009-10-01 20:35 . 2009-10-01 20:35 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-30 14:01 . 2009-10-29 10:26 -------- d-----w- C:\Quarantine
2009-09-30 01:05 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 01:05 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 01:05 . 2009-09-30 01:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-29 10:38 . 2009-06-10 19:06 0 ----a-w- c:\documents and settings\COOPRO01.L099ADMN507885\Local Settings\Application Data\WavXMapDrive.bat
2009-10-29 10:37 . 2009-06-10 18:51 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-29 10:37 . 2009-05-18 23:27 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-10-28 12:01 . 2009-06-10 18:30 0 ----a-w- c:\documents and settings\COOPRO01\Local Settings\Application Data\WavXMapDrive.bat
2009-10-20 23:19 . 2006-07-11 23:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-17 20:04 . 2009-06-04 13:46 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-16 16:16 . 2009-06-04 13:25 0 ----a-w- c:\documents and settings\fieldtech\Local Settings\Application Data\WavXMapDrive.bat
2009-10-01 01:57 . 2009-05-18 22:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:06 . 2009-06-10 18:52 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-10-01 00:18 . 2009-08-18 10:12 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-30 21:58 . 2007-06-12 17:02 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-09-30 00:30 . 2009-06-04 13:24 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Broadcom
2009-09-21 21:26 . 2009-09-21 21:26 -------- d-----w- c:\program files\Free RAR Extract Frog
2009-09-17 19:35 . 2009-09-17 19:35 35840 ----a-w- c:\windows\system32\diag2.dll
2009-09-13 13:53 . 2009-09-13 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt
2009-09-13 13:46 . 2009-09-13 13:46 -------- d-----w- c:\program files\Trend Micro
2009-09-11 14:18 . 2008-04-25 16:16 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 11:05 . 2009-07-17 14:08 51784 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-08 11:05 . 2009-06-11 00:40 -------- d-----w- c:\documents and settings\COOPRO01.L099ADMN507885\Application Data\Apple Computer
2009-09-08 03:25 . 2009-08-13 23:22 -------- d-----w- c:\program files\Windows Defender
2009-09-08 03:06 . 2009-09-08 03:06 -------- d-----w- c:\program files\ESET
2009-09-08 02:54 . 2009-09-08 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-09-08 02:40 . 2009-09-08 02:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-09-08 02:39 . 2009-09-08 02:39 -------- d-----w- c:\program files\Common Files\iS3
2009-09-07 22:28 . 2009-08-22 19:08 -------- d-----w- c:\program files\ffdshow
2009-09-07 22:27 . 2009-08-10 10:43 -------- d-----w- c:\documents and settings\COOPRO01.L099ADMN507885\Application Data\Amazon
2009-09-07 20:59 . 2009-09-07 19:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-07 20:58 . 2009-09-07 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-07 19:09 . 2009-09-07 19:09 -------- d-----w- c:\documents and settings\COOPRO01.L099ADMN507885\Application Data\Malwarebytes
2009-09-07 19:09 . 2009-09-07 19:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 21:03 . 2008-04-25 16:16 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2008-04-25 16:16 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-10 13:25 . 2009-05-18 23:23 66144 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 10:43 . 2009-05-18 23:10 66144 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2008-04-25 21:27 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2008-04-25 21:27 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2008-10-16 18:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2008-04-25 21:27 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-04-25 21:27 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2008-04-25 16:16 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2008-04-25 21:27 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2008-04-25 21:27 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-04-25 16:16 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2008-04-25 16:16 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-04-30 00:07 . 2009-07-06 16:52 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-01-14 15:24 40960 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-14 2000112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-12-22 145408]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2009-01-16 15360]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-17 483420]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2009-01-16 656696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 134656]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 98304]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-11-10 136512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 134656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-06-15 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 166912]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2009-01-16 95544]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-01-19 667648]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-03-01 1810432]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 77824]
"ChangeTPMAuth"="c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe" [2008-12-19 184320]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 622592]
"AppMgrGui"="c:\program files\AppStream\WindowsClient\Bin\exeForService.exe" [2008-05-23 57344]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-21 177472]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-02-22 200704]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-17 729088]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-01 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-20 198160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-2-6 1095456]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2009-6-10 163840]
Directrec Configuration Tool.lnk - c:\program files\Olympus\DeviceDetector\DirectrecConfig.exe [2009-6-10 122880]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{2D0C3614-D550-4b6b-BF80-D83C4544D6AE}"= "c:\program files\AppStream\WindowsClient\bin\ShExecHook.dll" [2008-05-23 94208]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcnetp"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [2009-03-01 77824]
R3 fsbl;F-Secure BlackLight Engine Driver;c:\documents and settings\COOPRO01.L099ADMN507885\Local Settings\Temp\f-downadup\fsbldrv.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-04-30 65224]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2009-06-05 17408]
R3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys [x]
S1 APPSTREAM;APPSTREAM;c:\windows\System32\Drivers\APPSTREAM.SYS [2008-05-23 121044]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-09-15 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-09-15 74480]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 163840]
S2 AppMgrService;AWE 5.2.2 Application Manager;c:\program files\AppStream\WindowsClient\bin\AppMgrService.exe [2008-05-23 2314240]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [2008-06-27 1664248]
S2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe [2008-07-01 110592]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2008-12-29 320800]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-02-07 443168]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-04-30 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-04-30 70216]
S2 REGHOOK;REGHOOK;c:\windows\System32\Drivers\REGHOOK.SYS [2008-05-23 58975]
S2 VSPD;VSPD;c:\windows\System32\Drivers\VSPD.SYS [2008-05-23 31321]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-03-17 112512]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-02-26 109568]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-09-15 7408]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cmsdnet.net
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
FF - ProfilePath - c:\documents and settings\COOPRO01.L099ADMN507885\Application Data\Mozilla\Firefox\Profiles\8171nux1.default\
FF - prefs.js: browser.startup.homepage - hxxp://dsl.sbc.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\Scriptff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRLPrint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Wdf01000.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-29 06:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1028)
c:\windows\system32\wvauth.dll

- - - - - - - > 'explorer.exe'(3612)
c:\windows\system32\WININET.dll
c:\windows\system32\igfxdo.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\btmmhook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\drivers\audio\r213367\stacsv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\rpcnet.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\McAfee\Common Framework\McScript_InUse.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\AppStream\WindowsClient\Bin\AppMgrGui.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\progra~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
c:\program files\Brother\Brmfcmon\BrMfimon.exe
.
**************************************************************************
.
Completion time: 2009-10-29 6:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 10:47

Pre-Run: 55,611,834,368 bytes free
Post-Run: 55,911,686,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 00C7A0A7F2D0170282F9FC96E14F070E

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 29 October 2009 - 06:30 AM

Hello funkecrates,

Glad to hear things are improving. But we still have a bit of cleanup to do :(


One or more of the identified infections is a banker trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, it is recommended to verify all the above.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


SHOW HIDDEN FILES AND FOLDERS
-------------------------------------------------
Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK



UPLOAD A FILE
--------------------
We need to check a file. Please click this link VirusTotal

When the page has finished loading, click the Choose file button and navigate to the following file and click Send file.

c:\windows\system32\wvauth.dll

If you get the message that the file has already been scanned before, please click Reanalyse file now.
Please post back the results of the scan in your next post.


In your next reply, please include the following:
  • Scan results of the uploaded file

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 06:53 AM

File wvauth.dll received on 2009.10.29 11:45:38 (UTC)
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.29 -
AhnLab-V3 5.0.0.2 2009.10.29 -
AntiVir 7.9.1.50 2009.10.29 -
Antiy-AVL 2.0.3.7 2009.10.27 -
Authentium 5.1.2.4 2009.10.28 -
Avast 4.8.1351.0 2009.10.28 -
AVG 8.5.0.423 2009.10.29 -
BitDefender 7.2 2009.10.29 -
CAT-QuickHeal 10.00 2009.10.29 -
ClamAV 0.94.1 2009.10.29 -
Comodo 2767 2009.10.29 -
DrWeb 5.0.0.12182 2009.10.29 -
eTrust-Vet 35.1.7091 2009.10.29 -
F-Prot 4.5.1.85 2009.10.28 -
F-Secure 9.0.15370.0 2009.10.27 -
Fortinet 3.120.0.0 2009.10.29 -
GData 19 2009.10.29 -
Ikarus T3.1.1.72.0 2009.10.29 -
Jiangmin 11.0.800 2009.10.26 -
K7AntiVirus 7.10.881 2009.10.27 -
Kaspersky 7.0.0.125 2009.10.29 -
McAfee 5785 2009.10.28 -
McAfee+Artemis 5785 2009.10.28 -
McAfee-GW-Edition 6.8.5 2009.10.29 -
Microsoft 1.5202 2009.10.29 -
NOD32 4554 2009.10.29 -
Norman 6.03.02 2009.10.29 -
nProtect 2009.1.8.0 2009.10.29 -
Panda 10.0.2.2 2009.10.28 -
PCTools 4.4.2.0 2009.10.19 -
Prevx 3.0 2009.10.29 -
Rising 21.53.33.00 2009.10.29 -
Sophos 4.46.0 2009.10.29 -
Sunbelt 3.2.1858.2 2009.10.29 -
Symantec 1.4.4.12 2009.10.29 -
TheHacker 6.5.0.2.056 2009.10.28 -
TrendMicro 8.950.0.1094 2009.10.29 -
VBA32 3.12.10.11 2009.10.29 -
ViRobot 2009.10.29.2011 2009.10.29 -
VirusBuster 4.6.5.0 2009.10.28 -
Additional information
File size: 1024000 bytes
MD5...: f5e72ef8f7cda34d66cb62ee358bd4e9
SHA1..: 5a25529846cb5b6fb99278bc18734de9f3f813a5
SHA256: 51003d45a2c83c4ec2d7d30ebfa33eb3fde8abe5847304cf8032e27742e213e0
ssdeep: 12288:Y7owA8st3suR/65/xZtorL59HxZAJGqG/z4rmlXQOPFSTA8suYFXji18dM<br>0rXZOv:PwmT6Nx8rLvRz4SlXQuFIATuYFXjtFE<br>
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x8650e<br>timedatestamp.....: 0x49417e55 (Thu Dec 11 20:55:49 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xb1957 0xb2000 6.62 bdbbf859a341bb980c72b30e5a917dcf<br>.rdata 0xb3000 0x25424 0x26000 5.03 7c59300406f15f901cc982e6aeb3116a<br>.data 0xd9000 0x158a8 0x13000 4.94 9ed8a5a23685e16589a8a0a10c485411<br>.rsrc 0xef000 0x404 0x1000 3.74 ca5efcefd13957142a28368ee51aedd4<br>.reloc 0xf0000 0xc77a 0xd000 5.72 a8d58f2b2840f39dfc4beec278f0eb12<br><br>( 15 imports ) <br>&gt; WinSCard.dll: SCardEstablishContext, SCardGetStatusChangeW, SCardReleaseContext<br>&gt; KERNEL32.dll: GetProcessHeap, HeapAlloc, HeapFree, GetVersionExW, CompareFileTime, OpenFileMappingW, FileTimeToSystemTime, lstrlenA, WideCharToMultiByte, SystemTimeToFileTime, GetSystemTimeAsFileTime, GetComputerNameW, SetEvent, CreateEventW, GetWindowsDirectoryW, SetDllDirectoryW, LocalFree, GetModuleFileNameW, LoadLibraryExW, MultiByteToWideChar, FreeLibrary, GetModuleHandleW, GetProcAddress, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, lstrcmpiW, InterlockedDecrement, InterlockedIncrement, FormatMessageW, lstrlenW, LocalAlloc, CreateNamedPipeW, ConnectNamedPipe, Sleep, CreateThread, EnterCriticalSection, LeaveCriticalSection, GetLastError, WriteFile, WaitForSingleObject, ResetEvent, FlushFileBuffers, DisconnectNamedPipe, CloseHandle, GetCurrentProcess, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, DeleteCriticalSection, InitializeCriticalSection, RaiseException, SetEnvironmentVariableA, CompareStringA, SetEndOfFile, WriteConsoleA, GetLocaleInfoW, LoadLibraryA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, CreateFileA, GetComputerNameExW, ReadFile, CreateFileW, GetModuleFileNameA, GetCurrentThreadId, GetCurrentProcessId, ExitProcess, GetVersionExA, HeapDestroy, HeapReAlloc, OutputDebugStringA, HeapSize, InterlockedExchange, CreateDirectoryA, OpenEventW, GetACP, GetLocaleInfoA, GetThreadLocale, InterlockedCompareExchange, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind, VirtualProtect, VirtualAlloc, GetModuleHandleA, GetSystemInfo, SetStdHandle, LoadLibraryW, VirtualQuery, MoveFileExW, GetTickCount, ExitThread, DeleteFileW, GetFileAttributesW, GetCommandLineA, SetLastError, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, SetFilePointer, GetConsoleMode, GetConsoleCP, GetStartupInfoA, SetHandleCount, IsValidCodePage, GetOEMCP, TlsFree, TlsSetValue, GetConsoleOutputCP, TlsAlloc, GetTimeZoneInformation, TlsGetValue, HeapCreate, VirtualFree, GetStringTypeW, GetStringTypeA, GetCPInfo, LCMapStringW, LCMapStringA, CreateDirectoryW, GetStdHandle, CompareStringW, GetFileType, WriteConsoleW<br>&gt; USER32.dll: DispatchMessageW, wsprintfW, GetMessageW, TranslateMessage, UnregisterClassA, CharNextW<br>&gt; ADVAPI32.dll: AddAccessAllowedAce, RegGetKeySecurity, RegSetKeySecurity, AddAccessDeniedAce, InitializeAcl, CryptCreateHash, CryptSetHashParam, CryptHashData, CryptGetHashParam, CryptDestroyHash, CryptEncrypt, CryptGetProvParam, CryptGenRandom, CryptGetKeyParam, CryptImportKey, EqualSid, LookupAccountSidW, GetLengthSid, CryptSetProvParam, QueryServiceStatusEx, CloseServiceHandle, OpenSCManagerW, OpenServiceW, CryptGenKey, CryptGetUserKey, CryptExportKey, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, LookupAccountNameW, CopySid, ConvertSidToStringSidW, GetUserNameW, AllocateLocallyUniqueId, ImpersonateLoggedOnUser, LsaNtStatusToWinError, AdjustTokenPrivileges, LookupPrivilegeValueW, CryptDecrypt, ConvertStringSecurityDescriptorToSecurityDescriptorW, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, RegDeleteKeyW, IsValidSid, InitializeSecurityDescriptor, SetSecurityDescriptorDacl, ImpersonateNamedPipeClient, CryptAcquireContextW, CryptDestroyKey, CryptReleaseContext, RevertToSelf, OpenProcessToken, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, RegOpenKeyW, GetSidIdentifierAuthority, GetSidSubAuthorityCount, GetSidSubAuthority<br>&gt; SHELL32.dll: SHGetFolderPathW, SHGetFolderPathA<br>&gt; ole32.dll: CoTaskMemRealloc, CoUninitialize, CoTaskMemAlloc, CoInitialize, OleRun, CoCreateInstance, CLSIDFromString, CoReleaseMarshalData, CoMarshalInterface, CoUnmarshalInterface, CoWaitForMultipleHandles, CoTaskMemFree, CoSetProxyBlanket, CLSIDFromProgID, CoCreateInstanceEx, StringFromCLSID, ProgIDFromCLSID, CreateStreamOnHGlobal<br>&gt; OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; Secur32.dll: LsaCallAuthenticationPackage, LsaConnectUntrusted, GetComputerObjectNameW, LsaLogonUser, LsaFreeReturnBuffer, LsaLookupAuthenticationPackage, LsaRegisterLogonProcess, LsaDeregisterLogonProcess<br>&gt; SHLWAPI.dll: PathAppendW, PathIsDirectoryA, PathFileExistsA, PathAppendA<br>&gt; CRYPT32.dll: CryptUnprotectData, CryptProtectData<br>&gt; NETAPI32.dll: NetServerGetInfo, DsGetDcNameW, NetApiBufferFree<br>&gt; ACTIVEDS.dll: -, -<br>&gt; WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; WLDAP32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -<br>&gt; USERENV.dll: FreeGPOListW, UnloadUserProfile, GetGPOListW<br><br>( 6 exports ) <br>LsaApCallPackage, LsaApCallPackagePassthrough, LsaApCallPackageUntrusted, LsaApInitializePackage, LsaApLogonTerminated, LsaApLogonUserEx2<br>
RDS...: NSRL Reference Data Set<br>-
pdfid.: -
trid..: Win64 Executable Generic (46.2%)<br>Win32 EXE PECompact compressed (generic) (22.4%)<br>Win32 Executable MS Visual C++ (generic) (20.3%)<br>Win32 Executable Generic (4.6%)<br>Win32 Dynamic Link Library (generic) (4.0%)
sigcheck:<br>publisher....: Wave Systems Corp.<br>copyright....: Copyright © 2007 Wave Systems Corp.<br>product......: Authentication Manager<br>description..: Authentication Package<br>original name: wvauth.dll<br>internal name: 32 bits<br>file version.: 3.3.5.4<br>comments.....: n/a<br>signers......: -<br>signing date.: -<br>verified.....: Unsigned<br>

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 29 October 2009 - 07:14 AM

Hello funkecrates,

Looking good so far!

MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please launch MBAM and on the Update tab, click Check for updates now
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
  • MBAM log
  • A new DDS log
  • A description of any remaining problems.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 09:00 AM

Malwarebytes' Anti-Malware 1.41
Database version: 3052
Windows 5.1.2600 Service Pack 3

10/29/2009 9:54:11 AM
mbam-log-2009-10-29 (09-54-11).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 205515
Time elapsed: 1 hour(s), 20 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




DDS (Ver_09-10-26.01) - NTFSx86
Run by COOPRO01 at 9:56:58.29 on Thu 10/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.cmsdnet.net
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [SecureUpgrade] "c:\program files\wave systems corp\SecureUpgrade.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [OrderReminder] c:\program files\hewlett-packard\orderreminder\OrderReminder.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [EmbassySecurityCheck] "c:\program files\wave systems corp\embassy security setup\EMBASSYSecurityCheck.exe"
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ChangeTPMAuth] c:\program files\wave systems corp\common\ChangeTPMAuth.exe /T:NTRU12
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [AppMgrGui] c:\program files\appstream\windowsclient\bin\exeForService.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\devicedetector\DirectrecConfig.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: adobe.com
Trusted Zone: appsvr03
Trusted Zone: appsvr04
Trusted Zone: cmsdnet.net
Trusted Zone: cmsdnet.net\appsvr03
Trusted Zone: cmsdnet.net\appsvr04
Trusted Zone: k12.oh.us\*.cleveland
Trusted Zone: renlearn.com
Trusted Zone: renlearn.com\hosted27
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://lnmail05.cleveland.k12.oh.us/dwa7W.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: ShExecHookLib Class: {2d0c3614-d550-4b6b-bf80-d83c4544d6ae} - c:\program files\appstream\windowsclient\bin\ShExecHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\coopro~1.l09\applic~1\mozilla\firefox\profiles\8171nux1.default\
FF - prefs.js: browser.startup.homepage - hxxp://dsl.sbc.yahoo.com/
FF - component: c:\program files\mozilla firefox\components\Scriptff.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRLPrint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-29 10:17:37 0 d-sha-r- C:\cmdcons
2009-10-29 10:14:59 77312 ----a-w- c:\windows\MBR.exe
2009-10-29 10:14:54 98816 ----a-w- c:\windows\sed.exe
2009-10-29 10:14:54 236544 ----a-w- c:\windows\PEV.exe
2009-10-29 10:14:54 161792 ----a-w- c:\windows\SWREG.exe
2009-10-20 23:20:18 0 d-----w- c:\program files\common files\xing shared
2009-10-20 23:19:47 0 d-----w- c:\program files\common files\Real
2009-10-01 21:29:33 0 dc-h--w- c:\windows\ie8
2009-10-01 20:48:34 0 d-----w- c:\program files\SpywareBlaster
2009-10-01 20:36:38 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-01 20:36:22 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-01 20:36:21 0 d-----w- c:\docume~1\coopro~1.l09\applic~1\SUPERAntiSpyware.com
2009-10-01 20:35:17 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-01 01:59:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-09-30 14:01:45 0 d-----w- C:\Quarantine
2009-09-30 01:05:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 01:05:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 01:05:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-10-29 10:37:50 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2009-10-29 10:37:48 56680 ----a-w- c:\windows\system32\rpcnet.dll
2009-10-20 23:19:50 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-01 01:57:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 01:06:08 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2009-09-30 21:58:39 56680 ----a-w- c:\windows\system32\rpcnet.exe
2009-09-17 19:35:36 35840 ----a-w- c:\windows\system32\diag2.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 11:05:47 51784 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01:48 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13:08 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20:09 2023936 ------w- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 9:57:28.32 ===============

My computer is running fine no issues...

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 29 October 2009 - 09:13 AM

Hello funkecrates,

I see no more active malware here, but lets check also with ESET. Because for some reason DDS skips some sections, I want to see also an OTL log.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply, please include the following:
  • ESET online scan results
  • OTL report

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 01:02 PM

i tried to dwld the otl cept my mcafee anti virus kept blockn it i was able to run the other scan and nothing was found i had to leave out for a few minutes so i shut dwn my computer n now it wont boot on all i get is the windows xp screen excuse my typn i have to use my iphone to communicate w/ u now

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 29 October 2009 - 01:23 PM

Hello funkecrates,

I have to say I am kind of surprised here. If ESET didn't find anything, nothing important should be changed on your system. Can you please tell me if there were any other weird things going on?


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

We Need to Diagnose Your BlueScreen
  • When you boot your machine, press F8 to list the startup options, exactly as you would if you were trying to enter Safe Mode
  • Select "Disable Automatic Restart on System Failure", as shown here:
    Posted Image
  • When your system BSODs, write down the STOP error code, as well as any written out error message back here. The STOP error will always appear, but the message may not. You are looking for this:
    Posted Image
When you start your computer, you should have the option to boot into the Recovery Console. Can you please tell me if this option appears?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 October 2009 - 06:14 PM

stop: 0x0000007B (0XF78D2524 , 0XC0000034 , 0X00000000 , 0X00000000)
yes i do see the option to boot in recovery console

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,823 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:24 AM

Posted 30 October 2009 - 02:12 AM

Are you able to boot in safe mode (try also with networking or with command prompt)? Try also Last Known Good Configuration.

Let me know of any of these let you boot normally.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 funkecrates

funkecrates
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 30 October 2009 - 07:01 AM

-safemode- when I boot I get a black screen with safemode in each corner and microsoft windows wp.... across the top no icons onn the screen or anything.

-safemode w. networking I get the same thing as listed above.

-safemode w/ prompt the same thing as above.......




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users