Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Engine Redirects, Popups, Safe Mode Disabled, Unknown virus


  • This topic is locked This topic is locked
30 replies to this topic

#1 terilr

terilr

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 10 February 2010 - 12:15 AM

I'm sorry but I do not know the name(s) of what I have. My virus started with strange, unrelated redirects when searching on Google. Then random popups even with popup blocker enabled. It's done something to make Spybot not work. I tried to start the computer in safe mode several times, and got nothing but a blue screen each time.

Downloaded and ran Malwarebytes and it found and removed 8 items - names included popcaploader and vundo. Search engine redirects and popups still continued though. Twice today I followed instructions from this site's preparation guide, all was fine until I tried to save the GMER file after a 2+ hour scan each time. At that point the computer locked up each time. I was unable to access task manager, or anything at all and could not even shut down without unplugging the computer.

DSS Log:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Teri R at 21:58:52.45 on Tue 02/09/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2613 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Teri R\Application Data\mjusbsp\magicJack.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Teri R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://127.0.0.1:4664/&s=7lo2-e6sobbuhRjpAbxEHLrqMYs
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080321
uSearch Bar =
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [cdloader] "c:\documents and settings\teri r\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [LocalURL] file:///newsflash\DataBaseProfessional.htm
mRun: [CountDown] 0 (0x0)
mRun: [Height] 190
mRun: [Width] 430
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\terir~1\startm~1\programs\startup\cyber-~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\windows\system32\vohejido.dll c:\windows\system32\
LSA: Notification Packages = scecli c:\windows\system32\vohejido.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2008-3-27 4064]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-20 30192]

=============== Created Last 30 ================

2010-02-09 23:27:45 0 ----a-w- c:\documents and settings\teri r\defogger_reenable
2010-02-09 22:18:23 0 d-----w- c:\windows\system32\NtmsData
2010-02-09 22:03:47 0 d-----w- c:\program files\TrendMicro
2010-02-09 13:50:33 0 d-----w- c:\docume~1\terir~1\applic~1\Malwarebytes
2010-02-09 13:50:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 13:50:29 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 13:50:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 13:50:29 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-09 07:49:01 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-09 03:34:43 1048576 ----a-w- C:\EZPHOTO1.TMP

==================== Find3M ====================


============= FINISH: 21:59:24.68 ===============



*******

Continuing. I could not generate the ark.txt file due to my computer hanging. However before rebooting I was able to write down what I saw in the window. I don't know if this is any help at all.

AttachedD ... \driver\kbdclass \device \keyboardclass0 Value: atmhelpr.sys (windows nt font dri ...

Device \driver\atapi\device\lde\ldedeviceP0T0L0-3 Value: [B9F14AA6] atapi.sys[unknown sectio ...

Device \driver\atapi\device\lde\ldeport0 Value - same as above

Device \driver\atapi\device\lde\ldeport1 Value - same as above

Device \driver\atapi\device\lde\ldeport2 Value - same as above

Device \driver\atapi\device\lde\ldeport3 Value - same as above

Device \driver\atapi\device\lde\ldedeviceP1T0L0-e Value - same as above

Device \filesystem\CDFS\CDFS\ Value: DLA1FS_m.sys [drive letter access ...

File c:\windows\system32\drivers\atapi.sys Value: suspicious modification

I hope someone can help me. Thanks in advance.

Attached Files


Edited by terilr, 10 February 2010 - 12:34 AM.


BC AdBot (Login to Remove)

 


#2 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 10 February 2010 - 12:38 AM

I forgot to mention that the logs above were re-generated new after having to reboot, and that before doing anything I made Spybot unresident.

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 10 February 2010 - 09:01 AM

Hello! smile.gif
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 10 February 2010 - 11:15 AM

I appreciate your help, Sam. My computer behavior seems quite slow. After downloading and double clicking on ComboFix, it took 6-7 minutes to open up.


ComboFix 10-02-09.04 - Teri R 02/10/2010 9:00.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2593 [GMT -7:00]
Running from: c:\documents and settings\Teri R\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 16:06 . 2009-12-24 16:58 6515976 ---ha-w- c:\documents and settings\Teri R\Application Data\mjusbsp\in00000\setup.exe
2010-02-10 16:06 . 2009-12-24 16:54 730032 ---ha-w- c:\documents and settings\Teri R\Application Data\mjusbsp\ar00000\install.exe
2010-02-09 22:18 . 2010-02-09 23:12 -------- d-----w- c:\windows\system32\NtmsData
2010-02-09 22:03 . 2010-02-09 22:03 388096 ------r- c:\documents and settings\Teri R\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-09 22:03 . 2010-02-09 22:03 -------- d-----w- c:\program files\TrendMicro
2010-02-09 13:50 . 2010-02-09 13:50 -------- d-----w- c:\documents and settings\Teri R\Application Data\Malwarebytes
2010-02-09 13:50 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-09 13:50 . 2010-02-09 13:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-09 13:50 . 2010-02-09 13:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-09 13:50 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 07:49 . 2010-02-09 07:49 -------- d-----w- c:\windows\system32\wbem\Repository

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 16:06 . 2009-05-04 22:50 -------- d-----w- c:\documents and settings\Teri R\Application Data\mjusbsp
2010-02-09 22:47 . 2008-03-28 07:52 -------- d-----w- c:\program files\ClicPic
2010-02-09 03:34 . 2010-02-09 03:34 1048576 ----a-w- C:\EZPHOTO1.TMP
2010-02-08 20:37 . 2008-03-28 06:56 -------- d-----w- c:\program files\Lx_cats
2010-02-08 10:46 . 2008-11-01 10:21 58 ---h--w- c:\windows\popcreg.dat
2010-02-08 10:46 . 2008-11-01 08:36 44 ----a-w- c:\windows\popcinfot.dat
2010-01-30 21:13 . 2008-03-21 06:47 -------- d-----w- c:\program files\Google
2009-12-24 16:59 . 2009-12-24 16:59 93016 ------w- c:\documents and settings\Teri R\Application Data\mjusbsp\ug00000\magicJack.dll
2009-12-24 16:58 . 2010-01-04 05:51 6515976 ---h--w- c:\documents and settings\Teri R\Application Data\mjusbsp\Upgrade\setup1.exe
2009-12-24 16:58 . 2009-12-24 16:58 6515976 ------w- c:\documents and settings\Teri R\Application Data\mjusbsp\ug00000\setup.exe
2009-12-24 16:58 . 2009-12-24 16:58 416328 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\magicJackLoader.exe
2009-12-24 16:58 . 2009-12-24 16:58 480608 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\octvqe1_apiw.dll
2009-12-24 16:58 . 2009-12-24 16:58 214360 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\TjVista.dll
2009-12-24 16:58 . 2009-12-24 16:58 337240 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\TjIpSys.dll
2009-12-24 16:58 . 2009-12-24 16:58 607600 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\SJHandsetMagicJack.dll
2009-12-24 16:58 . 2009-12-24 16:58 87384 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\st00000\mjsetup.exe
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\st00000\magicJack.dll
2009-12-24 16:57 . 2009-12-24 16:57 93016 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\magicJack.dll
2009-12-24 16:55 . 2009-12-24 16:55 12482904 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\magicJack.exe
2009-12-24 16:54 . 2010-01-04 05:51 730032 ---h--w- c:\documents and settings\Teri R\Application Data\mjusbsp\Upgrade\install1.exe
2009-12-24 16:54 . 2009-12-24 16:54 730032 ------w- c:\documents and settings\Teri R\Application Data\mjusbsp\ug00000\install.exe
2009-12-24 16:53 . 2009-12-24 16:53 87384 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\in00000\mjsetup.exe
2009-12-24 16:53 . 2009-12-24 16:53 93016 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\in00000\magicJack.dll
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\st00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\in00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 441704 ------w- c:\documents and settings\Teri R\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2009-12-24 16:52 . 2009-12-24 16:52 50520 ----a-w- c:\documents and settings\Teri R\Application Data\mjusbsp\cdloader2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-21 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"cdloader"="c:\documents and settings\Teri R\Application Data\mjusbsp\cdloader2.exe" [2009-12-24 50520]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LocalURL"="file:" [X]
"CountDown"="0 (0x0)" [X]
"Height"="190" [X]
"Width"="430" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-23 8429568]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-13 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\Teri R\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2009-1-3 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ClicPic\\ClicPic.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Documents and Settings\\Teri R\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [3/27/2008 9:48 PM 4064]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/20/2008 11:47 PM 30192]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://127.0.0.1:4664/&s=7lo2-e6sobbuhRjpAbxEHLrqMYs
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 09:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
CountDown = 63

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8A4CF8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecfc3
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f14aa6
\Driver\iaStor -> iaStor.sys @ 0xb9e7e918
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x80581684
NDIS: Intel® 82562V-2 10/100 Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d40ba0
PacketIndicateHandler -> NDIS.sys @ 0xb9d4db21
SendHandler -> NDIS.sys @ 0xb9d2b87b
user & kernel MBR OK

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\documents and settings\Teri R\Application Data\mjusbsp\st00000\mjsetup.exe
c:\documents and settings\Teri R\Application Data\mjusbsp\magicJack.exe
.
**************************************************************************
.
Completion time: 2010-02-10 09:10:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 16:10

Pre-Run: 467,726,327,808 bytes free
Post-Run: 467,815,071,744 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 934BBAA6C4103AE6DCDFA649639D749E


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 11 February 2010 - 07:55 AM


We need to run this special tool.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • If prompted to reboot, please do so.
  • When it is done, a log file should be created on your desktop called "TDSSKiller.txt" please copy and paste the contents of that file here.


Let me know how your computer is behaving after this step.


Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 02:16 PM

My computer is dead! I am posting on a laptop. There was a message on the screen saying a problem has been detected and Windows has been shut down to prevent damage to your computer.

I tried to restart normally, then with last known good configuration and got the same message. Then I tried to restart in safe mode. A bunch of lines with THE word driver in it scrolled by, then the screen went blue.

This is the message at the end of the problem detected notice:

***stop: 0X0000007E (0XC000001D, OX80536DDC, OXBA4C33B8, OXBA4C30B4

Obviously I cannot download anything or use the computer at all. Can anything be done?

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 11 February 2010 - 03:57 PM

Ok, let's see what we can do to get you back up and running without losing anything.

Do you have your Windows XP setup disc? Or if you don't have it, can you borrow one from someone?

Another option would be to create a Recovery disc by following the directions here.
http://www.bleepingcomputer.com/forums/t/276527/how-to-create-a-bootable-xp-recovery-console-cd/

Once you have one of those let me know and we'll try a few things.
I should be online off an on here for the next several hours.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 04:11 PM

I have a disc titled Operating System, reinstallation CD Windows XP Professional Service Pack 2. Is that it?

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 11 February 2010 - 04:48 PM

That should work. We need to access the recovery console.
  • Insert the Windows XP CD into your CD drive and restart your computer. If you are prompted, select any options required to start (boot) from the CD.
  • When the text-based part of Setup begins, follow the prompts. Select the repair or recover option by pressing R.
  • If you have a dual-boot or multiboot system, select the installation that you want to access from the Recovery Console.
  • When you are prompted, type the Administrator password. Or just hit enter if there isn't a password.
That should bring you to C:\Windows prompt. Type following command:

FIXMBR

You may get a prompt that says:

This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems accessing your drive, do not continue. Are you sure you want to write a new MBR?

Answer Y

After that, type exit to reboot back into normal mode.


Let me know how it goes.

Edited by Buckeye_Sam, 11 February 2010 - 04:48 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 05:03 PM

My screen says:

: C:\windows

Which Windows installation would you like to log onto (To cancel, press ENTER)?

I tried entering fixmbr here, would only take the F. Pressing enter exited me back to where I had to start over. What should I enter?

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 11 February 2010 - 05:13 PM

QUOTE
Which Windows installation would you like to log onto (To cancel, press ENTER)?

Are you given any options?
You want to access your current Windows installation.

Edited by Buckeye_Sam, 11 February 2010 - 05:13 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 05:18 PM

No options at all, there is no console or anything, just white print on a black screen. But printed above what I typed in my last post is

Microsoft Windows XP Recovery Console.

The Recovery Console provides system repair and recovery functionality. Type EXIT to quit the Recovery Console and restart the computer.

#13 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 05:20 PM

It appears I am supposed to enter one character as my response as it won't let me type in more than that.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:07:36 PM

Posted 11 February 2010 - 05:27 PM

Type in 1 and enter
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 terilr

terilr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 11 February 2010 - 05:31 PM


done.

Now I am back to the blue screen saying a problem has been detected and windows has been shut down.

Edited by terilr, 11 February 2010 - 05:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users