Win XP SP3 hidden maleware

Hi,

I'm infected and am hoping for some help.
Unfortunately, I'm computer savvy enough to be dangerous and so have tried lots of things before finding this site and making a post.

I am running Windows XP Pro SP3
Firefox and Windows Explorer.
McAfee security suite (AT&T DSL customer)

I picked up a virus looking for free online movies. The virus started doing popups of the fake "You are infected! You have to buy our stuff now!" I recognized it as fake and was wondering why McAfee hadn't started throwing up flags. I tried to open the security center in between all the popups. There were two types of popups, they almost looked like official ones. I eventually accidentally hit an OK button instead of the close button and it started to download and install something. I ended up turning the computer off at that point (I think, it was days ago by now and I'm sure I panicked when I realized what i did.

The thing tried to install Malware Defense.
One of the file names was richtx64.exe
I have run an old copy of HJT and fixed a few things (There should still be log files but I'm not sure)
I have run msconfig and made some adjustments.. (not sure what)
I tried to use system restore but it was blocked, wouldn't do anything, said there was errors and to restart the computer.
At some point system restore lost all the good save data from the past, it currently finds no saved data and cannot make any saves.
I have deleted files.
I have moved files.
I have stopped services.
I have deleted things in the registry that I am pretty sure were not good.
I have run a few online virus scanners. They found and cleaned some files that started with H8SRT.....
I have installed MBAM but it wouldn't run without renaming the .exe file.
I have installed SuperAntiSpywae free. It ran once but won't anymore.
Parts of McAfee seem to be running in the background but not doing anything.
I have uninstalled McAfee and thought I cleaned all my problems up then reinstalled McAfee and was surprised when it didn't work right again.
At one point MBAM would start normally but now it won't again.

I have had enough.

I am a father of 4 young kids and have a demanding wife who doesn't like me on the computer as it is so it may take a bit for me to get back with responses.

I thank you for your help in advance. I just wish I found this site and made a post before I made a bunch of changes.

I now see an forum entry by Tasha5505 about richx64.exe & wscsvc.exe entry that looks like the exact problem I am having.

Mvet

Edited by Mvet, 30 December 2009 - 05:49 PM.

Well, I couldn't wait. I deleted all temp files from Internet Explorer and ran MBAM again. It found two more things that it fixed and required reboot. After the reboot everything was working again. McAfee says there are some missing components and that I should reinstall. I'll be reinstalling a few programs to make sure things are good.
Downloads are going slow, I may not be out of the woods yet....

Nope, things are not good. While trying to redo McAfee the thing set its self up again. Now the renamed version of MBAM won't even run.

Edited by Mvet, 30 December 2009 - 09:18 PM.

Hello post the infected MBAM log so we can see what it found.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

After installing run RKill....as soon as your browser starts to load and then MBAM again

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

You will need to run the application again if rebooting the computer occurs along the way.


Too late now but you should not use HJT on your own and old HJT had a problem that was repaired.

Edited by boopme, 30 December 2009 - 11:24 PM.

Thanks for the assist boopme,

So far MBAM won't run anymore. Not even the renamed one. It comes up with an error code 730 (0,0) I'm thinking of attempting to reinstall it but will wait for guidance. I'll try to download Rkill.

Rkill was ran successfully. MBAM not working, found the files and posted them. Noticed the renamed mbam.exe was a different size than the original.

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

12/29/2009 10:35:44 AM
mbam-log-2009-12-29 (10-35-44).txt

Scan type: Quick Scan
Objects scanned: 118549
Time elapsed: 7 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

************************************************

Malwarebytes' Anti-Malware 1.42
Database version: 3450
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/29/2009 11:11:34 AM
mbam-log-2009-12-29 (11-11-34).txt

Scan type: Full Scan (C:\|)
Objects scanned: 230890
Time elapsed: 20 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTyvvfwdtqlo.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTyvvfwdtqlo.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

************************************************

Malwarebytes' Anti-Malware 1.42
Database version: 3450
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/30/2009 5:04:13 PM
mbam-log-2009-12-30 (17-04-13).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 414978
Time elapsed: 1 hour(s), 6 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

************************************************

Malwarebytes' Anti-Malware 1.42
Database version: 3450
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/30/2009 7:23:43 PM
mbam-log-2009-12-30 (19-23-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 2772
Time elapsed: 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



As far as the old HJT, it is all I had before finding this bleepingcomputer website. I wish I had know about this before. I really appreciate there being some good guys in the world of computers.

Edited by Mvet, 31 December 2009 - 07:22 AM.

Cool! and it's appreciated. Yes dump and reinstall as they upgraded to 1.43 now. You may still need to rerun RKill.
Uninstall that HJT you have. If needed we will get you the new version.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.


I think we will need to do these next also..
Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.

I got to this point and may need some clarification. I do not have a registered copy or full version, just the free one. So I do not have the MBAM in the task tray but I did reboot and do a quick scan. I did get an error during installation but I believe it was because I told it to update then launch but I did not have an internet connection enabled at the time. The error was 732(12007,0)
Here is the scan results.

Malwarebytes' Anti-Malware 1.43
Database version: 3465
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/31/2009 7:08:14 PM
mbam-log-2009-12-31 (19-08-14).txt

Scan type: Quick Scan
Objects scanned: 123203
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\H8SRTnaqoifhdtb.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\H8SRTkplrnbjhsc.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Papa\Local Settings\Temp\H8SRT6c01.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTyvvfwdtqlo.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\H8SRTuwxusqotnx.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

*********************************************

Things were looking good before the scan. I was not expecting to see that many hits. McAfee security center is running again but it says it needs to be reinstalled. I was at this point before so I am now going to continue forward with the ATF.

Edited by Mvet, 31 December 2009 - 08:45 PM.

ATF and SUPER processes complete.

**************************************************

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2010 at 03:59 AM

Application Version : 4.32.1000

Core Rules Database Version : 4437
Trace Rules Database Version: 2263

Scan type : Complete Scan
Total Scan Time : 07:43:57

Memory items scanned : 233
Memory threats detected : 0
Registry items scanned : 5213
Registry threats detected : 0
File items scanned : 276809
File threats detected : 0

*************************************

Things are looking good so far. McAfee is still saying it needs to be reinstalled and the last time I tried that the thing came back so I'm going to wait with a "Now what?" stance.

Happy New Year!

Happy New Year.
Do you use the paid version of McAfee?? Cuz maybe we should change it.

Well MBAM installed properly. Probably a glitch going from ver 1.42 to 1.43

I believe it would be considered a paid for version because it is provided by my IPS. Its just that in order to update it I have to by online and in the time it took to update it, the infection took hold again.

I don't understand where it hides so that even though the scans come up clean and things look like they are going to be ok it comes out and reinstalls files that were previously deleted.

Should I try to reinstall McAfee or should I uninstall it, use some sort of McAfee cleaning tool then reinstall it?

Edited by Mvet, 01 January 2010 - 09:14 PM.

OK let's first do 2 checks before we change anything or not.

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all seven boxes:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2

• This tool will create a diagnostic report for me to review.
• Double-click on Win32kDiag.exe to run and let it finish.
• When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
• A file called Win32kDiag.txt should be created on your Desktop.
• Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.

Then go to > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.

Thanks again boopme,

Here are the results;

*******************************************************

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/02 07:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xACA4D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA178000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Core.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Core.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\DellDriverDownloadManager.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Interop.IWshRuntimeLibrary.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Interop.IWshRuntimeLibrary.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\stdole.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\stdole.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Xceed.Compression.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Xceed.Compression.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Papa\Local Settings\Apps\2.0\9G4XPY4B.3VN\777H472O.6HT\manifests\Dell.eSupport.DownloadManager.Localization.resources.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPER\SASKUTIL.sys" at address 0xacbfa0b0

==EOF==
************************************************************************

Running from: J:\Win32kDiag.exe

Log file at : C:\Documents and Settings\Papa\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

*************************************************************************

Volume in drive C is Main XP
Volume Serial Number is 180B-ADE6

Directory of C:\WINDOWS\$NtServicePackUninstall
08/12/2004 07:27 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$
08/12/2004 07:24 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$
08/12/2004 07:19 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386
04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32
04/13/2008 06:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32
04/13/2008 06:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32
04/13/2008 06:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 142,326,943,744 bytes free

Hello there are some extra and suspicious files in these logs. They need a deeper look for removal. Include these logs with the HJT log below.

You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.

I made a new post as instructed.

http://www.bleepingcomputer.com/forums/ind...=283813&hl=

Everything seemed to go ok.

My computer seems to be running mostly ok. All of the programs are working again including system restore all though the old restore points are gone. There does seem to be some delays in switching windows (desktop/folder refreshes for example)

It'll be a day or so but you will be answered. I just want to be sure of those files.

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic