Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gala Search Virus and Possibly More


  • Please log in to reply
7 replies to this topic

#1 bigkick11

bigkick11

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA, USA
  • Local time:07:00 PM

Posted 25 March 2010 - 08:44 PM

Boopme requested that I post DDS logs and GMER log from forum topic 304282 here. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/304282/gala-search-virus-and-possibly-more/ ~ OB Problem started as a long term battle with Gala search hijacking google in IE and spreading to Google Chrome. Malware will not allow Mbam to run or programs to be downloaded. Starting in Safe Mode results in BSOD with error noted in previous forum. New problem has emerged from runing SAS Portable Scanner in Normal Mode and deleting infected files. Constant "bad image" errors occur while running programs, though programs are allowed to run. Exact text of errors also posted in previous forum.

Below is DDS log. Also, attached is Attach.txt and ark.txt. Gmer run was extremely slow and computer may (or may not) have restarted in the middle of it. I re-opened after restart and saved current log. I'm re-running and it's moving faster. I'll repost the new log as soon as that's available, in case this one is messed up.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 18:29:03.55 on Thu 03/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.577 [GMT -4:00]

AV: Security Guard *On-access scanning enabled* (Updated) {FD0621DA-BFA4-426A-92FD-3292F73FDFD5}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: Security Guard *enabled* {F37828A0-1275-40B0-A036-48B5E71B3702}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wscript.exe
C:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {9b635229-8069-4127-ae26-b7190f4be74a} - jisopisi.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.9.0\ViewBarBHO.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\common files\viewpoint\toolbar runtime\3.9.0\IEViewBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
dRun: [Security Guard] "c:\documents and settings\all users\application data\d0d97\SGdd1.exe" /s /d
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\photo loader\Plauto.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: cnet.com\download
Trusted Zone: download.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} - hxxp://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {093248F0-CF74-4226-828C-75EDDDB63D5E} = 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1
TCP: {736EA5EE-910E-4A22-B01D-532BD31882EF} = 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1
Filter: text/html - {6a4c9c71-5c55-4060-b4ec-c3121257e157} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\gakilime.dll,bujasojo.dll,yidehuyu.dll
SSODL: lanagugaf - {3471f595-eee8-47f2-a2a5-278e709336f8} - c:\windows\system32\mosirope.dll
SSODL: pariyovun - {212c4a0c-458d-4674-a133-85992fc23051} - c:\windows\system32\gakilime.dll
STS: tokatiluy: {3471f595-eee8-47f2-a2a5-278e709336f8} - c:\windows\system32\mosirope.dll
STS: tokatiluy: {212c4a0c-458d-4674-a133-85992fc23051} - c:\windows\system32\gakilime.dll
LSA: Notification Packages = scecli vahuyayu.dll ludoyuja.dll
IFEO: image file execution options - svchost.exe
IFEO: a.exe - svchost.exe
IFEO: aAvgApi.exe - svchost.exe
IFEO: AAWTray.exe - svchost.exe
IFEO: About.exe - svchost.exe

Note: multiple IFEO entries found. Please refer to Attach.txt
Hosts: 74.125.45.100 safebrowsing-cache.google.com
Hosts: 74.125.45.100 urs.microsoft.com
Hosts: 74.125.45.100 www.securesoftwarebill.com
Hosts: 74.125.45.100 secure-plus-payments.com
Hosts: 74.125.45.100 www.getantivirusplusnow.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R1 SASDIFSV;SASDIFSV;c:\docume~1\me\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\docume~1\me\locals~1\temp\sas_selfextract\SASKUTIL.sys [2010-3-23 74480]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-3-4 24652]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-18 210216]
S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-7-18 359952]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-7-18 144704]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-7-18 606736]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-18 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-18 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-18 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-18 40552]
S3 SASENUM;SASENUM;\??\c:\docume~1\me\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\me\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-13 822424]

=============== Created Last 30 ================

2010-03-25 22:23:46 0 ----a-w- c:\documents and settings\me\defogger_reenable
2010-03-24 01:23:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-03-24 01:23:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 01:23:40 0 d-----w- c:\docume~1\me\applic~1\SUPERAntiSpyware.com
2010-03-24 01:22:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 01:22:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 01:22:02 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 00:55:29 0 d-----w- C:\AutoRuns
2010-03-23 22:37:57 0 d-----w- C:\Malwarebytes' Anti-Malware
2010-03-22 23:19:42 0 d-----w- c:\docume~1\me\applic~1\MSNInstaller
2010-03-22 11:20:09 83456 ----a-w- c:\windows\system32\kisafigu.exe
2010-03-19 21:37:06 8212 ----a-w- c:\windows\mfebcdata
2010-03-19 20:11:47 79 ----a-w- C:\cid.exe
2010-03-19 19:07:31 25 ----a-w- C:\PE.sys
2010-03-19 19:07:26 1656 ----a-w- C:\Security Guard.lnk
2010-03-19 19:07:24 0 d-----w- c:\docume~1\alluse~1\applic~1\d0d97
2010-03-19 19:07:00 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SGLEDWD
2010-03-19 19:06:02 0 d-sh--w- c:\documents and settings\all users\cfa4b1e
2010-03-10 22:45:50 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-01-23 16:09:30 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-08-06 23:05:44 133104 ----atw- c:\program files\Coupons
2008-02-09 04:08:12 88 --sh--w- c:\windows\system32\6A9271FF9D.sys
1601-01-01 00:03:28 173568 --sha-w- c:\windows\system32\poroyoju.exe
1601-01-01 00:03:28 36864 --sha-w- c:\windows\system32\yugutoyi.exe
2008-08-02 16:56:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat

============= FINISH: 18:40:32.29 ===============

Attached Files


Edited by Orange Blossom, 25 March 2010 - 10:29 PM.


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:00 AM

Posted 28 March 2010 - 01:19 PM

Hi,

Please download ComboFix to your desktop from one of these locations. You must rename it before saving it. Save it to your desktop.
Link 1
Link 2
Link 3





IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please advise.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 bigkick11

bigkick11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA, USA
  • Local time:07:00 PM

Posted 28 March 2010 - 07:06 PM

jpshortstuff, thanks for the help.

I couldn't disable her McAfee Security Center because it wouldn't open. It wasn't even showing up on the toolbar, but ComboFix identified it as being on. The only way I could figure to shut it off was to uninstall it. In retrospect, that may not have been the smartest move, but ComboFix ran fine. We can re-install it later I guess, but for a paid program, it sure wasn't doing us much good. Below is the ComboFix log.

ComboFix 10-03-28.01 - Me 03/28/2010 19:35:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.681 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\Microsoft\dtPaper
c:\documents and settings\LocalService\Application Data\Microsoft\dtPaper\1.html
c:\documents and settings\LocalService\Application Data\Microsoft\dtPaper\cfg.msg
c:\documents and settings\LocalService\Application Data\Microsoft\dtPaper\tmp.bmp
c:\documents and settings\LocalService\Application Data\Security Guard
c:\documents and settings\LocalService\Application Data\Security Guard\Instructions.ini
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\ludoyuja.dll
c:\windows\system32\yugutoyi.exe
c:\windows\Tasks\myqqwqcw.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.118
hxxp://82.98.235.29
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-24 20:09 . 2010-03-24 20:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-24 01:23 . 2010-03-24 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-03-24 01:23 . 2010-03-24 02:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-24 01:23 . 2010-03-24 01:49 -------- d-----w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com
2010-03-24 01:22 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-24 01:22 . 2010-03-24 01:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-24 01:22 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-24 00:55 . 2010-03-24 00:55 -------- d-----w- C:\AutoRuns
2010-03-23 22:37 . 2010-03-23 22:43 -------- d-----w- C:\Malwarebytes' Anti-Malware
2010-03-22 23:19 . 2010-03-22 23:19 -------- d-----w- c:\documents and settings\Me\Application Data\MSNInstaller
2010-03-22 11:20 . 2010-03-22 11:20 83456 ----a-w- c:\windows\system32\kisafigu.exe
2010-03-19 20:11 . 2010-03-19 20:11 79 ----a-w- C:\cid.exe
2010-03-19 19:07 . 2010-03-19 19:07 25 ----a-w- C:\PE.sys
2010-03-19 19:07 . 2010-03-19 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\d0d97
2010-03-19 19:07 . 2010-03-19 19:07 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGLEDWD
2010-03-19 19:06 . 2010-03-19 19:07 -------- d-sh--w- c:\documents and settings\All Users\cfa4b1e
2010-03-18 19:07 . 2010-03-18 19:07 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-03-10 22:45 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 23:33 . 2006-06-13 14:49 -------- d-----w- c:\program files\McAfee
2010-03-26 17:14 . 2004-08-04 03:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-24 01:50 . 2010-03-24 01:50 52224 ----a-w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-03-24 01:50 . 2010-03-24 01:50 117760 ----a-w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-22 23:20 . 2010-03-22 23:19 1244648 ----a-w- c:\documents and settings\Me\Application Data\MSNInstaller\msnauins.exe
2010-03-22 12:18 . 2010-03-22 12:17 1874944 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-19 19:06 . 2010-03-19 19:07 2327552 ----a-w- c:\documents and settings\All Users\Application Data\d0d97\SGdd1.exe
2010-03-13 15:45 . 2010-03-05 01:26 439816 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\setup.exe
2010-03-05 21:41 . 2008-07-12 17:21 -------- d-----w- c:\program files\Palm
2010-03-05 09:31 . 2010-03-05 09:31 8405312 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 09:29 . 2010-03-05 09:29 149000 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 09:29 . 2010-03-05 09:29 10309448 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 09:27 . 2010-03-05 09:27 283280 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 09:27 . 2010-03-05 09:27 181768 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 09:27 . 2010-03-05 09:27 79368 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 09:27 . 2010-03-05 09:27 64000 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 09:27 . 2010-03-05 09:27 52288 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 09:27 . 2010-03-05 09:27 50688 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 09:27 . 2010-03-05 09:27 49152 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 09:27 . 2010-03-05 09:27 118784 ----a-w- c:\documents and settings\Me\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-02-05 21:50 . 2010-02-05 21:47 -------- d-----w- c:\program files\iTunes
2010-02-05 21:48 . 2010-02-05 21:48 -------- d-----w- c:\program files\iPod
2010-02-05 21:48 . 2007-07-01 00:11 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 21:31 . 2010-02-05 21:31 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-23 16:09 . 2006-06-24 16:06 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-23 16:09 . 2006-06-27 16:32 56 --sh--r- c:\windows\system32\9DFF71926A.sys
2009-12-31 16:50 . 2005-08-16 09:18 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-08-06 23:05 . 2009-08-06 23:05 133104 ----atw- c:\program files\Coupons
2008-02-09 04:08 . 2006-06-24 16:06 88 --sh--w- c:\windows\system32\6A9271FF9D.sys
1601-01-01 00:03 . 1601-01-01 00:03 173568 --sha-w- c:\windows\system32\poroyoju.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-06-20 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-13 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Security Guard"="c:\documents and settings\All Users\Application Data\d0d97\SGdd1.exe" [2010-03-19 2327552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-26 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-13 24576]
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2008-1-3 1392640]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Photo Loader supervisory.lnk - c:\program files\CASIO\Photo Loader\Plauto.exe [2007-4-20 229376]

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Me\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2004-12-13 20:30 58992 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 15:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2009-05-21 14:55 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 06:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 13:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 19:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-12-13 21:41 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-12-13 21:45 118784 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-12-13 21:44 98304 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2006-05-01 13:28 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2006-05-01 13:28 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 15:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 15:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 00:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
2005-12-07 21:05 1537696 ----a-w- c:\program files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-11-16 19:35 397312 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 07:23 75520 ----a-w- c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-11-29 16:56 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-06-20 01:47 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Dell\\QuickSet\\NicConfigSvc.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\All Users\\cfa4b1e\\SGcfa4.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/4/2007 5:00 PM 24652]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 0009061269818516mcinstcleanup;McAfee Application Installer Cleanup (0009061269818516);c:\docume~1\Me\LOCALS~1\Temp\000906~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\Me\LOCALS~1\Temp\000906~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 SASENUM;SASENUM;\??\c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Me\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2008-05-13 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4202819567.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cnet.com\download
Trusted Zone: download.com
TCP: {093248F0-CF74-4226-828C-75EDDDB63D5E} = 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1
TCP: {736EA5EE-910E-4A22-B01D-532BD31882EF} = 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
.
- - - - ORPHANS REMOVED - - - -

BHO-{9b635229-8069-4127-ae26-b7190f4be74a} - jisopisi.dll
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
SharedTaskScheduler-{3471f595-eee8-47f2-a2a5-278e709336f8} - c:\windows\system32\mosirope.dll
SharedTaskScheduler-{212c4a0c-458d-4674-a133-85992fc23051} - c:\windows\system32\gakilime.dll
SSODL-lanagugaf-{3471f595-eee8-47f2-a2a5-278e709336f8} - c:\windows\system32\mosirope.dll
SSODL-pariyovun-{212c4a0c-458d-4674-a133-85992fc23051} - c:\windows\system32\gakilime.dll
MSConfigStartUp-A Verizon App - c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-googletalk - c:\program files\Google\Google Talk\googletalk.exe
MSConfigStartUp-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
MSConfigStartUp-VerizonServicepoint - c:\program files\Verizon\Servicepoint\VerizonServicepoint.exe
AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-RadialpointClientGateway_is1 - c:\program files\Verizon\Servicepoint\unins000.exe
AddRemove-Riven 1.0 - c:\program files\Riven\DeIsL3.isu
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\System32\GEARSec.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-03-28 19:54:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 23:54

Pre-Run: 3,615,412,224 bytes free
Post-Run: 3,697,504,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - FFD39055057F59BEA4423AD9A880D9EC


#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:00 AM

Posted 29 March 2010 - 05:49 AM

OK, let's press on with the cleaning. No doubt the Malware was interfering with McAfee.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
CODE
Collect::
c:\windows\system32\kisafigu.exe
C:\cid.exe
C:\PE.sys
c:\documents and settings\All Users\Application Data\d0d97\SGdd1.exe
c:\windows\system32\poroyoju.exe

Folder::
c:\documents and settings\All Users\Application Data\d0d97
c:\documents and settings\All Users\Application Data\SGLEDWD
c:\documents and settings\All Users\cfa4b1e

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Security Guard"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\All Users\\cfa4b1e\\SGcfa4.exe"=-

Driver::
SASDIFSV
SASKUTIL
0009061269818516mcinstcleanup
SASENUM

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post ComboFix.txt in your next reply.[/list]


I also want a second opinion, to make sure there isn't anything nasty left.

You can use either Internet Explorer or Mozilla FireFox for this scan.
  • Please go here then click on:
    QUOTE
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on:
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on:
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on:
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Let me know how things are running now.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 bigkick11

bigkick11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA, USA
  • Local time:07:00 PM

Posted 29 March 2010 - 08:37 PM

When I turned the computer on the first time I got a BSOD with error ***STOP:0x00000001(0x0005C0065,0x00000002,0x00000008,0x005C0065). But the second time everything was fine. I attached the ComboFix.txt to save space. The ESET log is below. Unfortunately, it still found 9 infected files.

C:\Qoobox\Quarantine\[4]-Submit_2010-03-29_17.30.15.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\cfa4b1e\SGcfa4.exe.vir a variant of Win32/Kryptik.DDG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.VM trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP977\A0180672.dll a variant of Win32/Kryptik.DCE trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP977\A0180674.dll a variant of Win32/Kryptik.DCP trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP977\A0180679.dll a variant of Win32/Kryptik.DCE trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP977\A0180680.dll a variant of Win32/Kryptik.DCE trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP977\A0183691.sys Win32/Olmarik.VM trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP978\A0186386.exe a variant of Win32/Kryptik.DDG trojan


Let me know what you think. Thanks!

Attached Files



#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:00 AM

Posted 30 March 2010 - 02:43 AM

Hi,

Log looks good thumbup2.gif

Those items that ESET found are just from ComboFix's backups and from your System Restore. Both of these areas will be flushed when we perform this next step.

Click Start >> Run, and then type ComboFix /Uninstall and hit enter. You can now delete any other tools I had you download and use, unless you wish to keep them.

Now that your computer is clean again, there's a few things that you should consider to keep it that way.
  • Windows Update
    Keeping Windows up-to-date is crucial to your computer's security. Without the latest security fixes and patches, your computer is a sitting target for Malware to find its way in. Microsoft regularly release free updates to fix security flaws and increase the overall security of Windows.
    Windows XP: Use the Windows Update Site (using Internet Explorer) to download and install updates.
    Windows Vista & 7: Open your Control Panel and click Check for updates (under 'Security') or Windows Update ('Classic View').

  • Security Updates
    You should also make sure you regularly update your AntiVirus and Firewall software. New Malware is being developed all the time, so it is vital to stay up-to-date with the latest protection available.

  • Secure Internet Explorer
    Even if you don't use Internet Explorer, it is important to secure it. Many Microsoft and other third-party software utilize Internet Explorer's functionality for their own Internet related activities (like updating for example), so it is important to keep it secure.

    1. Click Start >> Run, type inetcpl.cpl and then hit Enter
    2. Click on the Security tab, then click once on the Internet icon to highlight it
    3. Click Custom Level button, then make the following changes:
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    4. When all these changes have been made, click on the OK button.
    5. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    6. Press the Apply button and then the OK to exit the Internet Properties page.

  • Extra Protection (optional but recommended)
    Download and install the free version of WinPatrol
    . This program protects your computer from malicious changes in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. WinPatrol supports everything from Windows 98 to Windows 7, and the developer is constantly improving the program, so its an excellent protection program to have on-board.

  • Have a read of this article for more information on how you became infected and how to stay secure:
    How did I get infected?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

Stay Clean!

jpshortstuff
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 bigkick11

bigkick11
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:PA, USA
  • Local time:07:00 PM

Posted 30 March 2010 - 09:02 PM

jpshortstuff,

I hate to be the bearer of bad news (maybe), but when I logged onto IE again and tried a google search, I was redirected to Gala Search. Then when I tried to google SpywareBlaster (just as an experiment) "searchzip7" sent me to "Stopzilla". Don't worry I didn't download it. IE is allowing downloads now, so I redownloaded McAfee and MBAM. And I downloaded WinPatrol and SpywareBlaster from the appropriate bleepingcomputer.com links.

I just ran an MBAM scan, and it found 10 infected files. Here is the log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/30/2010 10:02:43 PM
mbam-log-2010-03-30 (22-02-43).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 186412
Time elapsed: 1 hour(s), 26 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_USERS\S-1-5-19\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1902&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1902&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Classes\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1902&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=1902&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{093248f0-cf74-4226-828c-75edddb63d5e}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{736ea5ee-910e-4a22-b01d-532bd31882ef}\NameServer (Trojan.DNSChanger) -> Data: 217.23.14.75,4.2.2.1,192.168.1.1 192.168.1.1 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yidehuyu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Desktop\Security Guard.lnk (Rogue.SecurityGuard) -> Quarantined and deleted successfully.



It looks like I got the google hijackers, but how do I know if its all gone? Let me know what you think please. Thanks!

Edited by bigkick11, 30 March 2010 - 09:10 PM.


#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:12:00 AM

Posted 01 April 2010 - 01:42 PM

Hi,

Looks like there was a couple of things not showing up in your other logs. I'd give it a couple of days to see whether you have any more problems, and then run MBAM again to see if it gets anything else. If it has returned in a few days let me know, otherwise we can take that to be MBAM finishing it off.

Also make sure you have re-installed an AntiVirus program. Keep me posted thumbup2.gif
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users