Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prob almost fixed (win sys defender


  • This topic is locked This topic is locked
10 replies to this topic

#1 JamesW70

JamesW70

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 04 November 2009 - 06:33 PM

Hi kind souls/uber geeks,

Got a windows system defender infection from atomaders 2 download, it has been removed with combo-fix. However, there are traces of the infection left, or this malware removal tool has its own little quirk. The only weird things I see revole around Google. After combofix my Google.com went to Google.de (in Germany), the search is slow, and when I try to sign in to google, firefox tells me:


hxxps://www.google.com/accounts/Login?hl=en&continue=http://www.google.com/webhp%3Frls%3Dig

Secure Connection Failed

www.google.com uses an invalid security certificate.

The certificate is not trusted because it is self signed.
The certificate is only valid for google.com

(Error code: sec_error_untrusted_issuer)


Is this an easy fix? It seems easier (and 100% surefire) to spend the couple hours reinstalling the OS & programs then to try & tweak the registry. But I have a desire to go thru & do it the "right way" this time.

In need of help, James W

Attached Files


Edited by Orange Blossom, 04 November 2009 - 10:48 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 09 November 2009 - 03:44 PM

Hello and :( to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here
.

*If you have since resolved the original problem you were having, we would appreciate you letting us know.

*If not please perform the following steps below so we can have a look at the current condition of your machine.

*If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.


Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

**If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay
.


You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications.
In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

1. Click on the My Controls link at the top of the page to enter your control panel.

2. Scroll down to the Options category in the left hand side menu bar and click on the Email Settings link.

3. Put a checkmark in the checkbox labeled Enable 'Email Notification' by default?.

4. Set the If ticked, choose default type: menu option to Immediate Email Notification to have an email sent immediately when someone replied

The topics you are tracking are shown Here.
Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

----------------------------*-------------------------------

We need to see some information about what is happening in your machine.

Please perform the following scan:


Posted Image
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


Please Copy and Paste the logs .

Kind regards
Net_Surfer

:(

#3 JamesW70

JamesW70
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 November 2009 - 04:51 PM

No prob, it's not that bad, & I can wait for any help offered :( James

#4 Net_Surfer

Net_Surfer

  • Banned
  • 2,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:21 AM

Posted 09 November 2009 - 05:27 PM

Hi James,

Please do the DDS scan and copy and paste the logs.

Thanks
Net_Surfer

#5 JamesW70

JamesW70
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 November 2009 - 05:35 PM

1st is DDS.txt, 2nd is Attach.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by James Wang at 14:32:42.37 on Mon 11/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.385 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\jetsuite\jsdaemon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\AOL\1239580821\ee\AOLSoftware.exe
C:\Program Files\Brownie\BrstsWnd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\TurboHddUsb\TurboHddUsb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Rewire\IEPrivacyKeeper.exe
C:\jetsuite\JETSTAT.EXE
C:\Program Files\PIXELA\ImageMixer 3 SE\CameraMonitor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\jetsuite\JSFMAN.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AOL 9.0\shellmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James Wang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Google Update] "c:\documents and settings\james wang\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [AOL Fast Start] "c:\program files\aol 9.0\AOL.EXE" -b
uRun: [IE Privacy Keeper] "c:\program files\rewire\IEPrivacyKeeper.exe" -startup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [TosGbWatcher] "c:\program files\toshiba\gigabeat room 3.0\TosGbWatcher.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [HostManager] c:\program files\common files\aol\1239580821\ee\AOLSoftware.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TurboHddUsb] c:\program files\turbohddusb\TurboHddUsb.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dllcmd32.lnk - c:\jetsuite\DLLCMD32.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hplase~1.lnk - c:\jetsuite\JETSTAT.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se\CameraMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jamesw~1\applic~1\mozilla\firefox\profiles\4yb0tvfy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\james wang\application data\mozilla\firefox\profiles\4yb0tvfy.default\extensions\kodak-companion@mozilla.com\platform\winnt_x86-msvc\components\mozFotofox.dll
FF - plugin: c:\documents and settings\james wang\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Spssys;Toshiba SPS Service;c:\windows\system32\drivers\spssys.sys [2009-4-11 164256]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2009-10-18 7040]
R1 js1284;js1284;c:\windows\system32\drivers\JS1284.SYS [2009-4-1 76848]
R1 jsmux;jsmux;c:\windows\system32\drivers\JSMUX.SYS [2009-4-1 64336]
R1 jsscan;jsscan;c:\windows\system32\drivers\JSSCAN.SYS [2009-4-1 69088]
R2 jsfax;jsfax;c:\windows\system32\drivers\JSFAX.SYS [2009-4-1 64640]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-3-28 10384]
R2 WMDrive;WMDrive;c:\windows\system32\drivers\WMDrive.sys [2009-10-12 37376]
S2 0264611256149508mcinstcleanup;McAfee Application Installer Cleanup (0264611256149508);c:\windows\temp\026461~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\026461~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 jspclcap;jspclcap;c:\windows\system32\drivers\JSPCLCAP.SYS [2009-4-1 55200]
S3 DELTAII;Service for M-Audio Delta Driver (WDM);c:\windows\system32\drivers\deltaII.sys [2009-3-28 302728]
S3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [2009-10-18 17792]
S4 jsdbg;jsdbg;c:\windows\system32\drivers\JSDBG.SYS [2009-4-1 37168]

=============== Created Last 30 ================

2009-11-06 07:33:37 0 d-----w- c:\docume~1\jamesw~1\applic~1\Malwarebytes
2009-11-06 07:33:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-06 07:33:32 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-06 07:33:32 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-06 07:33:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-04 00:43:12 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-04 00:43:12 96512 ------w- c:\windows\system32\drivers\atapi.sys
2009-11-04 00:41:16 0 d-sha-r- C:\cmdcons
2009-11-04 00:39:21 98816 ----a-w- c:\windows\sed.exe
2009-11-04 00:39:21 77312 ----a-w- c:\windows\MBR.exe
2009-11-04 00:39:21 267264 ----a-w- c:\windows\PEV.exe
2009-11-04 00:39:21 161792 ----a-w- c:\windows\SWREG.exe
2009-11-03 22:25:47 11776 ----a-w- c:\windows\system32\drivers\afc.sys
2009-11-03 22:25:30 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-11-03 22:09:55 1705 ----a-w- C:\Windows System Defender.lnk
2009-11-03 22:09:41 0 d-sh--w- c:\docume~1\alluse~1\applic~1\WSDDSys
2009-11-03 22:09:16 0 d-sh--w- c:\documents and settings\all users\a681e7e
2009-11-03 09:16:17 0 d-----w- c:\windows\system32\wbem\Repository
2009-11-02 19:25:36 0 d-----w- c:\program files\Atomaders 2
2009-11-02 07:47:24 0 d-----w- C:\Emma Birth-9 Mos
2009-10-29 06:43:46 0 d-----w- c:\program files\KraiSoft Games
2009-10-19 00:56:15 0 d-----w- c:\docume~1\alluse~1\applic~1\FNET
2009-10-19 00:56:14 7040 ----a-w- c:\windows\system32\drivers\FNETURPX.SYS
2009-10-19 00:56:13 17792 ----a-w- c:\windows\system32\drivers\FNETTBOH.SYS
2009-10-19 00:56:11 0 d-----w- c:\program files\TurboHddUsb
2009-10-16 18:39:27 0 d-----r- c:\docume~1\jamesw~1\applic~1\Brother
2009-10-13 00:53:40 0 d-----w- c:\program files\Cakewalk
2009-10-13 00:53:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Cakewalk
2009-10-12 23:53:24 0 d-----w- c:\docume~1\jamesw~1\applic~1\WinMount
2009-10-12 23:52:46 0 d-----w- c:\program files\WinMount3
2009-10-12 23:52:45 37376 ----a-w- c:\windows\system32\drivers\WMDrive.sys

==================== Find3M ====================

2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08:21 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-12 22:57:01 103720 ----a-w- c:\documents and settings\james wang\GoToAssistDownloadHelper.exe
2009-03-31 00:03:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032320090330\index.dat
2009-03-31 00:03:00 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033020090331\index.dat

============= FINISH: 14:33:08.89 ===============



Atttach.txt >>>>>>



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/28/2009 12:10:29 AM
System Uptime: 11/9/2009 1:35:16 PM (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | M61VME-S2
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket M2 | 2210/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 173.42 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Printer Port Logical Interface
Device ID: LPTENUM\MICROSOFTRAWPORT\4&54AC241&0&LPT1
Manufacturer: (Standard system devices)
Name: Printer Port Logical Interface
PNP Device ID: LPTENUM\MICROSOFTRAWPORT\4&54AC241&0&LPT1
Service:

==== System Restore Points ===================

RP1: 11/5/2009 10:33:25 PM - System Checkpoint
RP2: 11/7/2009 12:04:48 AM - System Checkpoint
RP3: 11/8/2009 3:19:52 PM - System Checkpoint

==== Installed Programs ======================

ACDSee 5.0 Standard Trial
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.2
AOL Uninstaller (Choose which Products to Remove)
ArcSoft TotalMedia Backup & Record
ATI Display Driver
Atomaders 2
BitTorrent
Brother HL-2170W
CDDRV_Installer
Delta
DNA
DVD Shrink 3.2
Full Tilt Poker
Google Chrome
GoToAssist Corporate
High Definition Audio Driver Package - KB888111
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
IE Privacy Keeper
ImageMixer 3 SE
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 17
JetSuite Pro for the HP LaserJet 3100
K-Lite Codec Pack 4.7.5 (Full)
KhalInstallWrapper
KraiSoft Games Launcher
Logitech SetPoint
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.15)
MSXML 6 Service Pack 2 (KB954459)
Nero Suite
NVIDIA Drivers
PokerStars
RealPlayer Basic
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sony Sound Forge 7.0
SuperBot
TOSHIBA gigabeat applications 3.0
Trillian
TurboHddUsb
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Viewpoint Media Player
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinMount V3.2.0624
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

11/6/2009 12:48:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/6/2009 12:34:19 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec js1284 jsmux jsscan mfehidk MPFP MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/6/2009 12:34:19 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2009 12:34:19 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2009 12:34:19 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/6/2009 12:34:19 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/5/2009 9:49:32 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNASvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
11/5/2009 9:49:09 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/5/2009 9:49:07 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips js1284 jsmux jsscan mfehidk
11/5/2009 10:16:55 PM, error: SRService [104] - The System Restore initialization process failed.
11/5/2009 10:16:55 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
11/5/2009 10:08:47 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/3/2009 5:45:39 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {AB92D412-E57E-473B-B9A2-3BAE647D9C8C}
11/3/2009 5:44:48 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McMSCSvc with arguments "" in order to run the server: {398E2E68-BFDA-4834-B971-3CB8EC3C7219}
11/3/2009 5:42:51 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
11/3/2009 5:40:11 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
11/3/2009 3:47:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Services service to connect.
11/3/2009 3:47:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Real-time Scanner service to connect.
11/3/2009 3:47:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Proxy Service service to connect.
11/3/2009 3:47:13 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee Network Agent service to connect.
11/3/2009 3:47:13 PM, error: Service Control Manager [7000] - The McAfee Services service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/3/2009 3:47:13 PM, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/3/2009 3:47:13 PM, error: Service Control Manager [7000] - The McAfee Proxy Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/3/2009 3:47:13 PM, error: Service Control Manager [7000] - The McAfee Network Agent service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/3/2009 12:15:44 AM, error: Service Control Manager [7000] - The jspclcap service failed to start due to the following error: The system cannot find the device specified.
11/3/2009 12:15:37 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
11/3/2009 12:15:37 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
11/2/2009 9:04:55 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the sscSched service to connect.
11/2/2009 9:04:37 PM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 000FEA66ED30 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
11/2/2009 1:40:37 AM, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:21 PM

Posted 09 November 2009 - 06:58 PM

Hi,

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
It is intended by its creator to be used under the guidance and supervision of a Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please do not run Combofix on your own

Please check if you still have the file C:\combofix.txt and post the content here.

Please also run a scan with gmer and post back the result:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 JamesW70

JamesW70
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 November 2009 - 06:18 PM

OMG, you're not going to believe this - the prob is fixed. Last night (Nov 9), I received an automatic windows xp security update. When I rebooted this morning, a system tray icon said malicious software has been removed. I've never seen anything like this. Bill Gates is really on top of his game. I've never bashed windows but will feverishly defend it now. For $80, you get a complete integrated OS w constant updates, you can't beat that.

Edited by JamesW70, 10 November 2009 - 06:21 PM.


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:21 PM

Posted 10 November 2009 - 06:45 PM

Heya,

I might counter that I'm getting my complete and updated OS for free, but that might be interpreted as nitpicking. :(

Disregarding this, do you still want to check your PC for malware? I may have found indication for a pretty nasty rootkit and would like to check on that, unless you are confident, that your PC is clean.

let me know what you want to do.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 JamesW70

JamesW70
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 November 2009 - 06:56 PM

Hi Myrti,

You can't beat free, that's for sure :(

I'm pretty confident the rootkit is gone because of the sys tray icon after update, I can sign into igoogle w/o firefox warnings, and my google search is fast and no longer says - google deutshchland.

The trojan didn't appear to be interested passwords, only redirecting my google search (& seldomly doing so) to other search pages to make a buck or two.

I am quite interested in where it was though - if & only if you have free time - I spent some time & thought I deleted the entries but it was a stealthy sucker.

regards, James

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:21 PM

Posted 10 November 2009 - 07:14 PM

Hi,

please run Malwarebytes as mentioned above and add a log from gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


With the symptoms you are describing (and their vanishing) it is pretty probable that it was removed though. The rootkit probably hid as atapi.sys on your disk. atapi.sys is a legit file normally, as it is your hard disk controller, but was replaced.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:21 PM

Posted 16 November 2009 - 09:33 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users