Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager can't be opened


  • This topic is locked This topic is locked
10 replies to this topic

#1 bfradio

bfradio

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 27 December 2009 - 05:29 PM

Hello,

I cannot start Task Manager in Windows XP Professional using alt+ctl+delete or from right-clicking as the Task Bar as it is grayed out.

I recently used a .exe for a something called UltrSurf in order to have an advertisement removed from a live video feed.

I don't know if that caused the problem, but that is the last thing I have done since I noticed the problem.

Here is my DDS log and please find attached files called Attach.txt and ark.txt.


Thanks you for your help.




DDS (Ver_09-12-01.01) - NTFSx86
Run by BFrankey at 22:18:17.14 on Sun 12/27/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1465 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\RegSrvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\BFrankey\Desktop\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\BFrankey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://gateway.slb.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: taskmgr.exe - c:\program files\questionmark\qs\QSBTask.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bfrankey\applic~1\mozilla\firefox\profiles\81w83buh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-20 214664]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-17 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-17 144704]
R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [2009-5-7 109312]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-17 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-17 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-17 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-17 40552]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2008-11-5 92550]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-17 34248]

=============== Created Last 30 ================

2009-12-27 21:24:40 0 d-----w- c:\program files\TrendMicro
2009-12-27 20:32:21 600 ----a-w- c:\documents and settings\bfrankey\PUTTY.RND

==================== Find3M ====================

2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll
2009-04-29 19:02:02 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-04-29 19:02:02 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-04-29 19:02:02 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:18:43.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 05 January 2010 - 12:15 PM

Hi bfradio,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

If you have still the issue please copy and paste a fresh DDS.txt to your reply.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 07 January 2010 - 03:06 PM

This thread will now be closed.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 16 January 2010 - 07:43 PM

Topic reopened per request.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#5 bfradio

bfradio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 17 January 2010 - 11:48 AM

farbar,

Please have a look at my combofix log.

ComboFix 10-01-16.04 - BFrankey 01/17/2010 16:36:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1643 [GMT 0:00]
Running from: c:\documents and settings\BFrankey\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 16:26 . 2010-01-17 16:27 -------- d-----w- c:\windows\LastGood
2010-01-17 16:07 . 2009-09-30 12:11 288096 ----a-r- c:\documents and settings\BFrankey\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-01-17 16:05 . 2010-01-17 16:05 -------- d-----w- c:\documents and settings\BFrankey\Application Data\McAfee
2009-12-27 21:24 . 2009-12-27 21:24 388096 ----a-r- c:\documents and settings\BFrankey\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-27 21:24 . 2009-12-27 21:24 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 16:05 . 2009-01-17 17:00 -------- d-----w- c:\program files\McAfee
2010-01-17 16:05 . 2005-06-29 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-27 21:26 . 2009-11-26 22:18 79488 ----a-w- c:\documents and settings\BFrankey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-14 21:34 . 2009-07-22 11:05 37021 ----a-w- c:\documents and settings\BFrankey\Application Data\Juniper Networks\setup\uninstall.exe
2009-10-21 06:00 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 10:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2004-8-4 388608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 06:54 1218008 ------w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2009 1:09 PM 109312]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [11/5/2008 10:58 AM 92550]
S2 0267381263745604mcinstcleanup;McAfee Application Installer Cleanup (0267381263745604);c:\docume~1\BFrankey\LOCALS~1\Temp\026738~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\BFrankey\LOCALS~1\Temp\026738~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\BFrankey\Application Data\Mozilla\Firefox\Profiles\81w83buh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 16:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-17 16:40:02
ComboFix-quarantined-files.txt 2010-01-17 16:39
ComboFix2.txt 2010-01-17 16:34

Pre-Run: 30,817,939,456 bytes free
Post-Run: 30,803,578,880 bytes free

- - End Of File - - AB0F9CBC2362B9294E6B508E639FA8DD

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 17 January 2010 - 11:52 AM

This is the log the second run of ComboFix. I need to see the log of the first run.

Please go to start -> Run.
  • Copy and paste the bold line in the run-box and click OK: C:\Qoobox\ComboFix2.txt
  • A text file opens up, copy and paste the content to your reply.


#7 bfradio

bfradio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 17 January 2010 - 04:42 PM

Here is the log from the first run.

I ran ComboFix a second time because I wasn't sure if my security software was disabled or not. I did disable the security software at the beginning of the run, but I saw the message at the top of the log stating that it was active and I didn't realize that the second run would be different from the second.

Run 1 results:

ComboFix 10-01-16.04 - BFrankey 01/17/2010 16:29:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1633 [GMT 0:00]
Running from: c:\documents and settings\BFrankey\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-12-17 to 2010-01-17 )))))))))))))))))))))))))))))))
.

2010-01-17 16:07 . 2009-09-30 12:11 288096 ----a-r- c:\documents and settings\BFrankey\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-01-17 16:05 . 2010-01-17 16:05 -------- d-----w- c:\documents and settings\BFrankey\Application Data\McAfee
2009-12-27 21:24 . 2009-12-27 21:24 388096 ----a-r- c:\documents and settings\BFrankey\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-27 21:24 . 2009-12-27 21:24 -------- d-----w- c:\program files\TrendMicro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-17 16:05 . 2009-01-17 17:00 -------- d-----w- c:\program files\McAfee
2010-01-17 16:05 . 2005-06-29 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-27 21:26 . 2009-11-26 22:18 79488 ----a-w- c:\documents and settings\BFrankey\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-14 21:34 . 2009-07-22 11:05 37021 ----a-w- c:\documents and settings\BFrankey\Application Data\Juniper Networks\setup\uninstall.exe
2009-10-21 06:00 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 10:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2008-05-20 737280]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-27 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
$McRebootA5E6DEAA56$.lnk - c:\windows\system32\cmd.exe [2004-8-4 388608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]
2009-10-29 06:54 1218008 ------w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [5/7/2009 1:09 PM 109312]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [11/5/2008 10:58 AM 92550]
S2 0267381263745604mcinstcleanup;McAfee Application Installer Cleanup (0267381263745604);c:\docume~1\BFrankey\LOCALS~1\Temp\026738~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\BFrankey\LOCALS~1\Temp\026738~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\BFrankey\Application Data\Mozilla\Firefox\Profiles\81w83buh.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-17 16:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LgNotify.dll

- - - - - - - > 'explorer.exe'(3660)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-17 16:34:07
ComboFix-quarantined-files.txt 2010-01-17 16:34

Pre-Run: 30,720,749,568 bytes free
Post-Run: 30,803,042,304 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 97ADA5FFFDBBC2BBE3ACCDE3044C2B6A

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 17 January 2010 - 05:35 PM

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
    • Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  • Please run DDS and post a fresh DDS.txt to your reply. No need for the Attach.txt. Also tell me if the issue is resolved.


#9 bfradio

bfradio
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:22 PM

Posted 17 January 2010 - 06:38 PM

Before I ran MBAM I found that my Task Manager was working again. I am not exactly sure how or why. I can confirm that I was still having the problem earlier when I first replied. Is it possible that running ComboFix the second time fixed it?

Anyways here is the MBAM log and the DDS.txt is attached.


Malwarebytes' Anti-Malware 1.44
Database version: 3585
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18241

1/17/2010 11:26:32 PM
mbam-log-2010-01-17 (23-26-32).txt

Scan type: Quick Scan
Objects scanned: 98853
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 18 January 2010 - 06:11 AM

Task Manager was disabled by the malware and ComboFix restored the settings.

I recommend you to update Java to the latest version (Java 6 update 17) and remove Java™ 6 Update 13. The old Java versions have vulnerabilities malware can exploit.

Go to start => Run, copy/paste the following in run box and press Enter:

combofix /uninstall

This will uninstall ComboFix, makes a clean restorepoint and flushes old restore points to prevent reinfection by using system Resotore.

Happy Computing!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:22 PM

Posted 22 January 2010 - 06:18 PM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users