Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with windows enterprise defender


  • This topic is locked This topic is locked
43 replies to this topic

#1 decemberist

decemberist

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 18 October 2009 - 02:42 PM

I've already tried using Malwarebytes several times but even though it shows a lot of infected files and removes them the enterprise 'warning' window still comes up. When I reboot the computer and try the Malwarebytes again the same problems appeared in the log. :( Can I remove it manually?



DDS (Ver_09-10-13.01) - NTFSx86
Run by Admin at 21:27:38,57 on 2009-10-18
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.511.129 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Enterprise Defender *On-access scanning enabled* (Updated) {35F94409-BC9A-4B6E-9046-2294AEA34FD0}
FW: Windows Enterprise Defender *enabled* {C274CE3D-5DEB-4B83-A1C5-EB37F284E2A2}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
D:\programy\Winamp\winampa.exe
C:\windows\Mixer.exe
D:\programy\HP Software Update\HPWuSchd2.exe
C:\windows\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\All Users\Dane aplikacji\a2b9fe6\WEa2b9.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
D:\programy\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\windows\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\system32\svchost.exe -k imgsvc
D:\programy\Digital Imaging\bin\hpqimzone.exe
D:\programy\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Admin\Pulpit\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\admin\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [WinampAgent] d:\programy\winamp\winampa.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HP Software Update] d:\programy\hp software update\HPWuSchd2.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] d:\programy\program\ADGJDet.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [QuickTime Task] "d:\programy\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Enterprise Defender] "c:\documents and settings\all users\dane aplikacji\a2b9fe6\WEa2b9.exe" /s /d
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admin\menust~1\programy\autost~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpdigi~1.lnk - d:\programy\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpphot~1.lnk - d:\programy\digital imaging\bin\hpqthb08.exe
IE: Download Video by Free YouTuBe Utility - d:\programy\free youtube utility\IEydown.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\daneap~1\mozilla\firefox\profiles\dk1kj5hq.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2314472&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - search
FF - plugin: c:\documents and settings\admin\dane aplikacji\nowe gadu-gadu\_userdata\npgg.1.dll
FF - plugin: d:\programy\plugins\npqtplugin.dll
FF - plugin: d:\programy\plugins\npqtplugin2.dll
FF - plugin: d:\programy\plugins\npqtplugin3.dll
FF - plugin: d:\programy\plugins\npqtplugin4.dll
FF - plugin: d:\programy\plugins\npqtplugin5.dll
FF - plugin: d:\programy\plugins\npqtplugin6.dll
FF - plugin: d:\programy\plugins\npqtplugin7.dll
FF - plugin: d:\programy\real player\netscape6\nppl3260.dll
FF - plugin: d:\programy\real player\netscape6\nprjplug.dll
FF - plugin: d:\programy\real player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-21 27904]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;"c:\program files\avira\antivir desktop\sched.exe" --> c:\program files\avira\antivir desktop\sched.exe [?]

=============== Created Last 30 ================

2009-10-18 20:12 <DIR> --dsh--- c:\docume~1\alluse~1\daneap~1\WEDDSys
2009-10-18 20:11 <DIR> --d----- C:\ADWARE_LOG
2009-10-18 20:11 <DIR> --dsh--- c:\docume~1\alluse~1\daneap~1\a2b9fe6
2009-10-08 17:00 <DIR> --ds---- c:\documents and settings\admin\UserData

==================== Find3M ====================

2009-09-25 07:37 669,696 a------- c:\windows\system32\wininet.dll
2009-09-25 07:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-11 16:19 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 23:05 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 11:01 205,312 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 22:59 2,190,464 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 19:29 2,067,328 a------- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 21:27:53,73 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 20 October 2009 - 02:16 PM

UPDATE

I found the manual uninstall guide on your website and deleted as many of the files as I could have found. Now the defender doesn't launch when I start the computer, I have no alerts and so on however I still experience some problems that I think might be connected with enterprise. sometimes I can't enter websites that I used to visit without a warning site to appear saying that the site's security certificate is not trusted (SSL Error). I also experience problems with my antivirus- Avira ( when I uninstalled it and tried AVG it didn't even install saying that enterprise is installed on the computer and it may cause troubles). Malwarebytes didn't find any malicious entries.

here is my new log in case something was different now.


DDS (Ver_09-10-13.01) - NTFSx86
Run by Admin at 21:08:22,48 on 2009-10-20
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.511.188 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Enterprise Defender *On-access scanning enabled* (Updated) {35F94409-BC9A-4B6E-9046-2294AEA34FD0}
FW: Windows Enterprise Defender *enabled* {C274CE3D-5DEB-4B83-A1C5-EB37F284E2A2}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
D:\programy\Winamp\winampa.exe
C:\windows\Mixer.exe
D:\programy\HP Software Update\HPWuSchd2.exe
C:\windows\system32\CTHELPER.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
svchost.exe
D:\programy\Digital Imaging\bin\hpqtra08.exe
C:\windows\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\programy\Digital Imaging\bin\hpqSTE08.exe
D:\programy\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\programy\Nowe Gadu-Gadu\gg.exe
D:\programy\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Admin\Moje dokumenty\Downloads\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\admin\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Google Update] "c:\documents and settings\admin\ustawienia lokalne\dane aplikacji\google\update\GoogleUpdate.exe" /c
mRun: [WinampAgent] d:\programy\winamp\winampa.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HP Software Update] d:\programy\hp software update\HPWuSchd2.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] d:\programy\program\ADGJDet.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "d:\programy\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admin\menust~1\programy\autost~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpdigi~1.lnk - d:\programy\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpphot~1.lnk - d:\programy\digital imaging\bin\hpqthb08.exe
IE: Download Video by Free YouTuBe Utility - d:\programy\free youtube utility\IEydown.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-20 108289]
R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-21 27904]

=============== Created Last 30 ================

2009-10-20 20:11 <DIR> --d----- c:\program files\Avira
2009-10-20 20:11 <DIR> --d----- c:\docume~1\alluse~1\daneap~1\Avira
2009-10-20 20:07 <DIR> --d----- c:\docume~1\alluse~1\daneap~1\avg9
2009-10-20 18:22 <DIR> --d----- c:\docume~1\admin\daneap~1\AVG8
2009-10-20 16:30 <DIR> --d----- c:\docume~1\admin\daneap~1\Locate32
2009-10-19 13:17 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-10-19 13:17 <DIR> --d----- c:\program files\MSECACHE
2009-10-18 20:11 <DIR> --d----- C:\ADWARE_LOG
2009-10-18 20:11 <DIR> --dsh--- c:\docume~1\alluse~1\daneap~1\a2b9fe6
2009-10-08 17:00 <DIR> --ds---- c:\documents and settings\admin\UserData

==================== Find3M ====================

2009-10-20 18:17 435,978 a------- c:\windows\system32\perfh015.dat
2009-10-20 18:17 67,078 a------- c:\windows\system32\perfc015.dat
2009-09-25 07:37 669,696 a------- c:\windows\system32\wininet.dll
2009-09-25 07:37 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-11 16:19 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-04 23:05 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-26 10:02 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 11:01 205,312 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 22:59 2,190,464 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 19:29 2,067,328 a------- c:\windows\system32\ntkrnlpa.exe

============= FINISH: 21:08:54,07 ===============

Hello decemberist,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Attached Files


Edited by The weatherman, 20 October 2009 - 05:21 PM.


#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 27 October 2009 - 05:41 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 05 November 2009 - 01:51 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,109 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:47 AM

Posted 10 November 2009 - 05:21 PM

Hello decemberist,

I have reopened your topic as requested upon consult with your helper. Please be sure to check your topic at least once a day for responses as the e-mail notification system is unreliable.

Blade81 has requested that you post a new DDS logs including the attach.txt and a fresh RootRepeal log. Please include an updated description of your computer issues.

Back to you Blade81,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#6 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 11 November 2009 - 05:08 PM

Basically, since I've removed some (the ones I managed to find thank to the guide that I found on this website) of the Enterprise files manually I haven't got any alerts etc. however I am still having problems with internet connection. When I type the address everything works fine but when I try to enter a website from google for example, it redirects me to entirely different address. The SSL error appears even when I want to enter well known and 'safe' sites. Generally I feel that the computer is not working properly even though I don't have any alerts popping up but the only clearly visible problem is the internet.
oh and those problems appeared right after the Enterprise infected my computer.

PS. sorry for not noticing your first response!

DDS (Ver_09-10-26.01) - NTFSx86
Run by Admin at 22:37:38,25 on 2009-11-11
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.511.100 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Windows Enterprise Defender *On-access scanning enabled* (Updated) {35F94409-BC9A-4B6E-9046-2294AEA34FD0}
FW: Windows Enterprise Defender *enabled* {C274CE3D-5DEB-4B83-A1C5-EB37F284E2A2}

============== Running Processes ===============

C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
C:\windows\system32\svchost -k rpcss
C:\windows\System32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k WudfServiceGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
D:\programy\Winamp\winampa.exe
C:\windows\Mixer.exe
D:\programy\HP Software Update\HPWuSchd2.exe
C:\windows\system32\CTHELPER.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
D:\programy\IObit Security 360\IS360tray.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
D:\programy\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
D:\programy\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\windows\system32\CTsvcCDA.exe
D:\programy\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\wuauclt.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\windows\System32\alg.exe
D:\programy\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\update.exe
C:\Documents and Settings\Admin\Moje dokumenty\Pobieranie\dds.scr
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEPluginBHO Class: {f5cc7f02-6f4e-4462-b5b1-394a57fd3e0d} - c:\documents and settings\admin\dane aplikacji\nowe gadu-gadu\_userdata\ggbho.1.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Google Update] "c:\documents and settings\admin\ustawienia lokalne\dane aplikacji\google\update\GoogleUpdate.exe" /c
mRun: [WinampAgent] d:\programy\winamp\winampa.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [HP Software Update] d:\programy\hp software update\HPWuSchd2.exe
mRun: [WINDVDPatch] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [Jet Detection] d:\programy\program\ADGJDet.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "d:\programy\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [IObit Security 360] "d:\programy\iobit security 360\IS360tray.exe" /autostart
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admin\menust~1\programy\autost~1\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpdigi~1.lnk - d:\programy\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\programy\autost~1\hpphot~1.lnk - d:\programy\digital imaging\bin\hpqthb08.exe
IE: Download Video by Free YouTuBe Utility - d:\programy\free youtube utility\IEydown.htm
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: image file execution options - svchost.exe
IFEO: brastk.exe - svchost.exe
IFEO: gav.exe - svchost.exe
IFEO: norton_internet_secu_3.0_407.exe - svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\daneap~1\mozilla\firefox\profiles\0mb1qayg.default\
FF - plugin: c:\documents and settings\admin\dane aplikacji\nowe gadu-gadu\_userdata\npgg.1.dll
FF - plugin: c:\documents and settings\admin\ustawienia lokalne\dane aplikacji\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: d:\programy\plugins\npqtplugin.dll
FF - plugin: d:\programy\plugins\npqtplugin2.dll
FF - plugin: d:\programy\plugins\npqtplugin3.dll
FF - plugin: d:\programy\plugins\npqtplugin4.dll
FF - plugin: d:\programy\plugins\npqtplugin5.dll
FF - plugin: d:\programy\plugins\npqtplugin6.dll
FF - plugin: d:\programy\plugins\npqtplugin7.dll
FF - plugin: d:\programy\real player\netscape6\nppl3260.dll
FF - plugin: d:\programy\real player\netscape6\nprjplug.dll
FF - plugin: d:\programy\real player\netscape6\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-10-20 108289]
R2 IS360service;IS360service;d:\programy\iobit security 360\is360srv.exe [2009-10-31 312592]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-11-21 27904]

=============== Created Last 30 ================

2009-10-21 20:35:02 0 d-----w- c:\docume~1\alluse~1\daneap~1\IObit
2009-10-20 18:11:40 0 d-----w- c:\program files\Avira
2009-10-20 18:11:40 0 d-----w- c:\docume~1\alluse~1\daneap~1\Avira
2009-10-20 18:07:58 0 d-----w- c:\docume~1\alluse~1\daneap~1\avg9
2009-10-20 16:22:54 0 d-----w- c:\docume~1\admin\daneap~1\AVG8
2009-10-20 14:30:07 0 d-----w- c:\docume~1\admin\daneap~1\Locate32
2009-10-19 11:17:54 0 d-----w- c:\program files\Windows Installer Clean Up
2009-10-19 11:17:46 0 d-----w- c:\program files\MSECACHE
2009-10-18 18:11:22 0 d-sh--w- c:\docume~1\alluse~1\daneap~1\a2b9fe6

==================== Find3M ====================

2009-10-26 12:22:32 67078 ----a-w- c:\windows\system32\perfc015.dat
2009-10-26 12:22:32 435978 ----a-w- c:\windows\system32\perfh015.dat
2009-09-25 05:37:34 669696 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:37:30 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-11 14:19:43 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:05:35 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:02:15 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-14 15:15:52 1850880 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 22:38:19,64 ===============

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 12 November 2009 - 12:50 AM

Ok. Let's see your case then :(


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 12 November 2009 - 09:36 AM

I couldn't install Recovery Console (from the CD). It says the file C:\BOOT.INI can't be found. I am 100% sure that I have never deleted any such file but as I am not the only one using this computer I might not know about it :/

Attached Files



#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 12 November 2009 - 11:56 AM

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
dir /s/a c:\boot.ini >logit.txt
start logit.txt
del %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 12 November 2009 - 02:23 PM

OK done. It says:

Volume in drive C has no label.
Serial number: A88A-B22B

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 12 November 2009 - 03:03 PM

Ok. We have to create boot.ini file.

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file "c:\boot.ini", change the Save as type to all files and save it.
[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect


When done, open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
type c:\boot.ini >logit.txt 2>&1
start logit.txt
del %0


Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 12 November 2009 - 03:39 PM

I hope I did it right as I got the same message:

[boot loader]
timeout=3
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home" /fastdetect

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 12 November 2009 - 03:43 PM

Looks good. Now, please run ComboFix making sure your internet connection is enabled. Let ComboFix install recovery console. Post back the resultant log when done.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 decemberist

decemberist
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:47 AM

Posted 12 November 2009 - 04:15 PM

The Console was installed without any problems :(

Attached Files



#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 AM

Posted 13 November 2009 - 02:25 AM

Good. Click start -> run write cmd.exe and press enter. Give following commands (press enter after each one):
attrib +r +s +h c:\boot.ini
exit


Then rerun DDS and post back its log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users