Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Virus?


  • This topic is locked This topic is locked
17 replies to this topic

#1 michelle2009

michelle2009

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 23 October 2009 - 12:01 PM

Hello!

A few months ago, my computer was infected with a Trojan that I thought had been removed; but now I am receiving warnings from McAfee that .tmp files are trying to access my computer. [Such as 138.tmp, etc] I ran Malwarebyte's antivirus scan and a few more Trojan virus files were found. I'm not sure if this is still my previous infection or a new one, but I would like to find a solution to this problem if possible!

Thank you so much in advance! I appreciate the help!

Also, this is my first time posting, I hope everything is correct; let me know if there's anything else I can do!

Michelle


DDS (Ver_09-10-13.01) - NTFSx86
Run by Michelle at 12:51:07.32 on Fri 10/23/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1232 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\bcmntray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\PixArt\PAC7302\Monitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Real\RealPlayer\realplay.exe
svchost.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Documents and Settings\Michelle\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Michelle\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\documents and settings\michelle\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\bcmntray
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Livestream Procaster] "c:\program files\livestream procaster\Procaster.exe" -autorun
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134974719859
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134974715546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michelle\applic~1\mozilla\firefox\profiles\6hymu2au.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\michelle\application data\mozilla\firefox\profiles\6hymu2au.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\michelle\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: XUL Cache: {9B421840-CDB8-4086-9168-F98F805A68CE} - c:\windows\system32\config\systemprofile\local settings\application data\{9b421840-cdb8-4086-9168-f98f805a68ce}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [2005-12-19 16640]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-20 54752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-4 210216]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS [2007-9-10 457984]

=============== Created Last 30 ================

2009-10-23 12:07 <DIR> --d----- c:\program files\Trend Micro
2009-10-23 08:52 27,136 a------- c:\windows\system32\cpcp.cpo
2009-10-18 14:10 26,112 a------- c:\windows\system32\stu2.exe
2009-10-06 22:55 <DIR> --d----- c:\program files\Livestream Procaster

==================== Find3M ====================

2009-10-21 07:43 49,152 a------- c:\windows\system32\userinit.exe
2009-09-16 10:22 214,664 a------- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 10:22 79,816 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 10:22 40,552 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 10:22 35,272 a------- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 10:22 34,248 a------- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 10:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 17:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-29 04:08 916,480 a------- c:\windows\system32\wininet.dll
2009-08-26 04:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 11:13 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 10:20 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-06-04 18:12 245,760 a--sh--- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-01-05 20:40 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
2008-08-06 22:48 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080620080807\index.dat
2009-01-05 20:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010520090106\index.dat

============= FINISH: 12:51:57.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 24 October 2009 - 11:22 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %systemdrive%\*.exe
    %systemroot%\system32\drivers\*.sys


  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============


The next log will show us any hidden files that are present.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 24 October 2009 - 11:57 AM

Hello Sam! Thank you so much for your help, I truly appreciate it! I apologize in advance if I am leaving out any information or not using the correct terms; I am not very technologically savvy!

I downloaded OTL.exe to my desktop, but received an error that it was not a valid Win32 application and I couldn't open the program. If there is any alternative to opening this program, or anything I should do, let me know!

I went ahead and did the RootRepeal scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 12:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7EC1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADEE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA4480000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\sqlite_wfhpvgju3yukxsx
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_kvi3r88ihmgtz5l
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_jijredcffmrx5wu
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_rviwqqbxytkksct
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_tohbhbuxjqpz6on
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\sqlite_umpwpolnovgdpm4
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\michelle\local settings\temp\etilqs_aemazrpgmxdsbwlonlfw
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\michelle\local settings\temp\etilqs_ecluxwf4ucfa9ksvu8qz
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: C:\Documents and Settings\Michelle\Application Data\.purple\icons\1c34fa0211ed881aa65ed4e36e2eabad0da5a2de.jpg
Status: Invisible to the Windows API!

==EOF==

I hope this helps!

Thank you so much for your time!

Michelle

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 25 October 2009 - 10:00 AM

Let's try this.

Right click on OTL.exe and select Rename.
Then rename it to smiley.com

Then double click on smiley.com to run it.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 25 October 2009 - 11:04 AM

Hello Sam!

Thank you so much for the correspondence! I'm so sorry about the trouble with OTL! Unfortunately, I am still getting an error when I try to open it, even after the rename!
Posted Image

So sorry! Thank you so much for your help, I really appreciate it!

Michelle

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 25 October 2009 - 11:12 AM

Ok, rename it again, but this time use quotation marks.

"smiley.com"

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 25 October 2009 - 11:16 AM

Thank you so much for the swift reply!

I don't think Windows is letting me add quotation marks in the file name! (So sorry to be troubling you with this!)

thanks again for your time!

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 25 October 2009 - 11:43 AM

Ok, let's try something else.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 25 October 2009 - 12:26 PM

Sam, thank you so much! The ComboFix ran smoothly:

ComboFix 09-10-24.06 - Michelle 10/25/2009 13:08.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -4:00]
Running from: c:\documents and settings\Michelle\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://mastoblastobrevodo.com
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 17:13 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-23 16:07 . 2009-10-23 16:07 -------- d-----w- c:\program files\Trend Micro
2009-10-18 18:10 . 2008-04-14 00:12 26112 ----a-w- c:\windows\system32\stu2.exe
2009-10-07 02:55 . 2009-10-07 03:59 -------- d-----w- c:\documents and settings\Michelle\Local Settings\Application Data\Procaster
2009-10-07 02:55 . 2009-10-07 03:07 -------- d-----w- c:\program files\Livestream Procaster

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-25 17:15 . 2007-07-05 09:27 -------- d-----w- c:\documents and settings\Michelle\Application Data\WTablet
2009-10-25 17:14 . 2006-09-03 09:04 12 ----a-w- c:\windows\bthservsdp.dat
2009-10-25 16:20 . 2007-09-05 00:44 -------- d-----w- c:\documents and settings\Michelle\Application Data\.purple
2009-10-23 06:36 . 2005-12-19 04:26 -------- d-----w- c:\program files\McAfee
2009-10-19 05:40 . 2007-09-05 00:46 -------- d-----w- c:\documents and settings\Michelle\Application Data\gtk-2.0
2009-10-19 05:24 . 2006-06-14 03:06 -------- d-----w- c:\documents and settings\Michelle\Application Data\OpenOffice.org2
2009-10-18 22:57 . 2009-07-09 03:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 01:53 . 2008-10-01 03:13 -------- d-----w- c:\documents and settings\Michelle\Application Data\BitTorrent
2009-10-07 04:29 . 2006-02-15 06:00 -------- d-----w- c:\documents and settings\Michelle\Application Data\dvdcss
2009-10-03 03:17 . 2008-08-07 01:24 -------- d-----w- c:\program files\Windows Live
2009-09-21 05:13 . 2005-12-19 03:57 54192 ----a-w- c:\documents and settings\Michelle\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-20 08:37 . 2006-04-13 02:56 -------- d-----w- c:\documents and settings\Michelle\Application Data\Skype
2009-09-17 05:15 . 2009-09-17 05:15 -------- d-----w- c:\program files\Cellosoft
2009-09-16 14:22 . 2006-07-31 06:05 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2006-07-31 06:05 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2006-07-31 06:05 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2006-07-31 06:05 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2006-07-31 06:05 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-13 06:30 . 2009-09-13 06:30 -------- d-----w- c:\program files\Sun
2009-09-13 06:30 . 2006-06-14 03:03 -------- d-----w- c:\program files\Java
2009-09-12 23:56 . 2009-03-21 01:00 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-11 14:18 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-07-09 03:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-07-09 03:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-04 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 02:48 . 2009-03-21 01:00 54752 ----a-w- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-04 12:00 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Google Update"="c:\documents and settings\Michelle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-14 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\bcmntray" [X]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-13 198160]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Livestream Procaster"="c:\program files\Livestream Procaster\Procaster.exe" [2009-09-09 6313248]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-06-20 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\BitTorrent\\BitTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\system32\\Tablet.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"23401:TCP"= 23401:TCP:NIKOS

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;c:\windows\system32\drivers\nvcchflt.sys [12/19/2005 12:13 AM 16640]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/20/2009 09:00 PM 54752]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/4/2008 08:29 PM 210216]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864]
S3 PAC7302;PC VGA Camer@ Plus;c:\windows\system32\drivers\PAC7302.SYS [9/10/2007 08:50 AM 457984]
.
Contents of the 'Scheduled Tasks' folder

2009-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-884357618-839522115-1003Core.job
- c:\documents and settings\Michelle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:37]

2009-10-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-73586283-884357618-839522115-1003UA.job
- c:\documents and settings\Michelle\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-14 00:37]

2009-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-07-31 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
FF - ProfilePath - c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\6hymu2au.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Michelle\Application Data\Mozilla\Firefox\Profiles\6hymu2au.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Michelle\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: XUL Cache: {9B421840-CDB8-4086-9168-F98F805A68CE} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{9B421840-CDB8-4086-9168-F98F805A68CE}\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 13:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2288)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\combofix\CF13470.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\windows\system32\bcmntray.exe
c:\windows\system32\rundll32.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\Tablet.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\progra~1\MICROS~2\rapimgr.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 13:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 17:19
ComboFix2.txt 2009-04-03 19:33

Pre-Run: 64,861,507,584 bytes free
Post-Run: 64,937,357,312 bytes free

- - End Of File - - 2AA7E671E5EBFA168EF616C4839BD361


Thank you so much for your time! I really appreciate the help!

[I attached the .txt but thought I'd copy and paste the log as well! I hope that is appropriate! Thank you!]

Michelle

Attached Files



#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 26 October 2009 - 02:44 AM

Copy and paste is much preferred over attaching. :(

Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\stu2.exe


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 26 October 2009 - 11:10 AM

Hello Sam! Thank you again!

Here is Jotti:

This file has been scanned before. The results for this previous scan are listed below.


Filename: userinit.exe
Status:
Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Sun 25 Oct 2009 11:05:17 (CET) Permalink



Additional info
File size: 26112 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: a93aee1928a9d7ce3e16d24ec7380f89
SHA1: 513f8bdf67a5a9e09803cfb61f590b39f2683853




Scanners

2009-10-24 Found nothing

2009-10-25 Found nothing

2009-10-25 Found nothing

2009-10-25 Found nothing

2009-10-24 Found nothing

2009-10-25 Found nothing

2009-10-25 Found nothing

2009-10-24 Found nothing

2009-10-23 Found nothing

2009-10-23 Found nothing

2009-10-25 Found nothing

2009-10-24 Found nothing

2009-10-25 Found nothing

2009-10-24 Found nothing

2009-10-25 Found nothing

2009-10-25 Found nothing

2009-10-25 Found nothing

2009-10-23 Found nothing

2009-10-24 Found nothing

2009-10-24 Found nothing

2009-10-25 Found nothing


And here is VirusTotal, just to be safe:

File has already been analysed:
MD5: a93aee1928a9d7ce3e16d24ec7380f89
First received: 2009.02.12 02:28:35 UTC
Date: 2009.10.23 23:25:48 UTC [>2D]
Results: 0/41
Permalink: analisis/944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f-1256340348


Thank you so much! I am really so grateful for your correspondence!

Michelle

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 26 October 2009 - 06:54 PM

Looking good! :(

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Let me know how your computer is behaving now.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 27 October 2009 - 07:27 AM

Hey Sam!

Thank you so much for your patience! Here's the ESET log:

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=ebf2355f56f006459b9dc7c3afc98070
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-27 05:50:58
# local_time=2009-10-27 01:50:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 21 100 88 27267105781250
# scanned=195625
# found=2
# cleaned=2
# scan_time=4663
C:\Qoobox\Quarantine\C\WINDOWS\system32\RuvDdcfe.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\RuvDdcfe.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

I haven't been receiving prompts from McAfee lately that .tmp files are trying to install.. And I can't detect any other suspicious behavior! I don't want to celebrate prematurely in case we're not out of the woods yet, but that is my machine's status so far!

Once again, thank you so much! I truly appreciate the help!

Michelle

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:30 AM

Posted 27 October 2009 - 07:47 AM

One last check and then we can celebrate. :(


Please update Malwarebytes and run a full scan.
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform full scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 michelle2009

michelle2009
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 October 2009 - 08:48 PM

Hello Sam!

It was a great thing that you suggested the search, because Malware did fine an infected file:

Malwarebytes' Anti-Malware 1.41
Database version: 3045
Windows 5.1.2600 Service Pack 3

10/28/2009 08:36:38 PM
mbam-log-2009-10-28 (20-36-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 280371
Time elapsed: 1 hour(s), 43 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\epson\epson10336\rescan.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Again, thank you so much for your continued patience and help! I am really grateful for your support!

Michelle




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users