Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with XP Security Tool 2010/ XP Defender


  • This topic is locked This topic is locked
23 replies to this topic

#1 cammaker

cammaker

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 13 April 2010 - 01:27 AM

XP Security Tool 2010 first appeared out of nowhere, then after a short period it started showing the XP Defender popups. I've run Malwarebytes' Anti-Malware, SuperAntispyware Pro, Spybot Search and Destroy, McAfee Antivirus and Safety.Live.com. I've also run the FixEXE.reg program. Most of my programs are back running again with the exception of the following:

1. The System Restore tab is missing from System Properties.
2. All searches are redirected.
3. Can't go to Microsoft Update.

I've removed the program ave.exe numerous times with one of the above mentioned programs and it keeps coming back. Any help will be greatly appreciated.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Michael Taylor at 0:39:39.10 on Mon 04/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2202 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LeechGet 2007\LeechGet.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2010 Deluxe\Planner\PLNRnote.exe
C:\Program Files\Desktop Alert\desktopalert_1495314.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\MDM.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\download\DDS Tool\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://centurytel.myway.com/
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [LeechGet] "c:\program files\leechget 2007\LeechGet.exe" -intray
uRun: [MoeMonitor.exe] "c:\documents and settings\michael taylor.mikehome\local settings\application data\microsoft\live mesh\bin\servicing\0.9.4014.7\MoeMonitor.exe"
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [Rainlendar2] "c:\program files\rainlendar2\Rainlendar2.exe"
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ISUSScheduler] c:\progra~1\common~1\instal~1\update~1\issch.exe -start
mRun: [NeroFilterCheck] "c:\program files\common files\ahead\lib\NeroCheck.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [DVD43] c:\progra~1\dvdreg~1\DVDRegionFree.exe /hidden
StartupFolder: c:\docume~1\michae~1.mik\startm~1\programs\startup\deskto~1.lnk - c:\program files\desktop alert\desktopalert_1495314.exe
StartupFolder: c:\docume~1\michae~1.mik\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\michael taylor.mikehome\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\michae~1.mik\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\eventp~1.lnk - c:\windows\installer\{601be80d-247b-4084-94c7-7a54369db7a2}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Evernote - c:\program files\evernote\evernote3\enbar.dll/2000
IE: Append Link Target to Existing PDF
IE: Download using LeechGet - file://c:\program files\leechget 2007\\AddUrl.html
IE: Download using LeechGet Wizard - file://c:\program files\leechget 2007\\Wizard.html
IE: Parse with LeechGet - file://c:\program files\leechget 2007\\Parser.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - {BC0E0A5D-AB5A-4fa4-A5FA-280E1D58EEE1} - c:\program files\evernote\evernote3\enbar.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswaxf.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {297DE2B6-509A-4B36-93C5-A65276606900} - hxxp://www.in.honda.com/rraaapps/rraasec/codebase/RRAAINAX/RraainAX.CAB
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1258835424468
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259011857218
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {A3E21079-7F41-4125-9EBB-FD44CFCC0AC1} - hxxps://www.mesh.com/0.9.4014.3/TSWeb.cab
DPF: {A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C} - hxxp://www.dlink.com/products/livedemo/plugin/h263ctrl.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: wlcrdplauncher - c:\program files\live mesh\remote desktop\wlcrdplauncher.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli zutuwise.dll wma1350.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-7-29 385536]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-2-13 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\common files\abbyy\finereader\9.00\licensing\pe\NetworkLicenseServer.exe [2009-5-14 759048]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-10-6 665008]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-10-6 665008]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-13 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-13 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-13 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-2-13 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-2-13 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-2-13 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-2-13 141792]
R2 PPNT;PPNT;c:\windows\system32\drivers\ppnt.sys [2003-12-1 13824]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\live mesh\remote desktop\wlcrasvc.exe [2009-4-30 44880]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-2-13 55456]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [2010-2-23 41504]
R3 Dvd43;Dvd43;c:\windows\system32\drivers\Dvd43.sys [2007-7-21 35296]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-7-29 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-7-29 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-2-13 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-2-13 88480]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-4-30 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-4-30 19392]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2004-5-12 144768]
R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2004-5-12 545088]
S1 CorexCardScan;CardScan USB Scanner;c:\windows\system32\drivers\slcorex.sys [2003-5-21 8448]
S2 gupdate1c990aec6e9487a;Google Update Service (gupdate1c990aec6e9487a);c:\program files\google\update\GoogleUpdate.exe [2009-2-16 133104]
S2 ZIMIABYP;ZIMIABYP;\??\c:\windows\system32\zimiabyp.htf --> c:\windows\system32\zimiabyp.htf [?]
S3 Media Center 14 Service;Media Center 14 Service;c:\program files\j river\media center 14\JRService.exe [2009-8-6 382464]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-2-13 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-2-13 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-7-29 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-7-29 40552]
S3 vtdg46xx;vtdg46xx;c:\progra~1\turtle~1\santac~1\contro~1\vtdg46xx.sys [2004-5-12 19232]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2067-02-24 20:21:18 79947 ----a-w- c:\windows\fw20.vxd
2010-04-12 05:38:40 0 ----a-w- c:\documents and settings\michael taylor.mikehome\defogger_reenable
2010-04-12 05:04:13 0 --sha-w- C:\DkHyperbootSync
2010-04-09 09:23:31 0 d-----w- c:\program files\PCPitstop
2010-04-08 07:58:02 0 d-----w- c:\program files\iPod
2010-04-08 06:50:48 0 d-----w- c:\program files\BHODemon 2
2010-04-07 08:09:42 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 06:59:02 0 ----a-w- c:\windows\Xxoyuferosul.bin
2010-04-06 06:59:01 120 ----a-w- c:\windows\Aqigixezibeceris.dat
2010-04-06 04:44:46 0 d-sh--w- c:\documents and settings\michael taylor.mikehome\.COMMgr
2010-04-01 08:00:39 0 d-----w- c:\program files\iTunes
2010-04-01 07:23:31 0 d-----w- c:\docume~1\alluse~1.win\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 07:11:20 0 d-----w- c:\program files\Bonjour
2010-03-30 02:55:42 0 d-----w- c:\program files\common files\ABBYY
2010-03-30 02:51:55 0 d-----w- C:\temp
2010-03-29 22:46:21 0 d-----w- c:\program files\Skyhook Wireless
2010-03-22 22:34:27 0 d-----w- c:\documents and settings\michael taylor.mikehome\.freemind
2010-03-22 22:34:06 0 d-----w- c:\program files\FreeMind
2010-03-18 02:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 02:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-03-15 06:49:56 0 d-----w- c:\program files\Unlocker

==================== Find3M ====================

2010-04-12 05:04:34 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-04-12 05:04:34 75264 ----a-w- c:\windows\system32\dllcache\ipsec.sys
2010-04-12 00:07:15 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-04-12 00:07:13 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-10 17:58:44 2180 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-10 17:28:33 35296 ----a-w- c:\windows\system32\drivers\Dvd43.sys
2010-04-06 04:44:25 70144 ----a-w- c:\windows\system32\drwtsn32.exe.tmp
2010-03-31 03:49:55 6580 --sha-w- c:\docume~1\alluse~1.win\applic~1\KGyGaAvL.sys
2010-03-30 05:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-16 16:56:49 72080 ----a-w- c:\documents and settings\michael taylor.mikehome\g2mdlhlpx.exe
2010-03-07 19:07:59 192272 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-03-03 21:07:45 372736 ------w- c:\windows\system32\MC14.exe
2010-03-02 20:15:11 15188 ----a-w- c:\docume~1\michae~1.mik\applic~1\ViewerApp.dat
2010-02-25 16:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-23 21:39:56 8456 ----a-w- c:\windows\system32\KGyGaAvL.sys
2010-02-15 06:56:52 8 --sh--r- c:\docume~1\alluse~1.win\applic~1\69876BBD85.sys
2010-02-12 16:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 16:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-09 22:02:04 93096 ----a-w- c:\windows\system32\IncContxMenu.dll
2010-02-09 22:01:48 2164648 ----a-w- c:\windows\system32\Incinerator.dll
2010-01-30 00:16:12 126392 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-28 22:13:18 30208 ----a-w- c:\windows\system32\iolobtdfg.exe
2010-01-28 22:13:18 12288 ----a-w- c:\windows\system32\smrgdf.exe
2010-01-14 19:14:24 575880 ----a-w- c:\windows\system32\RmActivate_isv.exe
2010-01-14 19:14:22 567176 ----a-w- c:\windows\system32\RmActivate.exe
2010-01-14 19:14:20 562064 ----a-w- c:\windows\system32\SecProc_isv.dll
2010-01-14 19:14:20 558984 ----a-w- c:\windows\system32\SecProc.dll
2010-01-14 19:14:20 362888 ----a-w- c:\windows\system32\RmActivate_ssp.exe
2010-01-14 19:14:20 361872 ----a-w- c:\windows\system32\RmActivate_ssp_isv.exe
2010-01-14 19:14:20 339336 ----a-w- c:\windows\system32\msdrm.dll
2010-01-14 19:14:20 192912 ----a-w- c:\windows\system32\SecProc_ssp_isv.dll
2010-01-14 19:14:20 192904 ----a-w- c:\windows\system32\SecProc_ssp.dll
2009-03-19 03:26:51 20520 ----a-w- c:\program files\init.dat
2003-08-27 19:19:18 36963 ------w- c:\program files\common files\SM1updtr.dll
2000-09-29 02:45:52 271 --sha-w- c:\program files\desktop.ini
2000-09-29 02:45:52 23357 ---ha-w- c:\program files\folder.htt
1998-12-30 21:56:24 2326690 ----a-w- c:\program files\BigIdeaSetup.exe
2009-11-10 23:56:36 88 --sh--r- c:\windows\system32\69876BBD85.sys

============= FINISH: 0:41:27.43 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 17 April 2010 - 07:39 AM

Hello and welcome to Bleeping Computer

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 19 April 2010 - 09:43 PM

Thanks for the help, unfortunately I'm unable to try anything at present. I guess the virus took it's toll on my hard drive and it eventually started giving me a blue screen when I tried to boot the computer. When I tried to run CHKDSK on my hard drive, it gave me the error that I have a corrupt master file table. Which is not a good thing to have. I plan to run some tests to see if it can be repaired. In the mean time, I would say go help someone else and I'll start another post if I can get my hard drive resurrected. Thanks again for the offer of assistance.

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 20 April 2010 - 05:27 PM

Hi cammaker-

I can give you instructions on a CD that will allow you to boot and a) access files on your computer and B ) potentially allow us to repair it. Please let me know if you'd like to try that.

Edited by etavares, 20 April 2010 - 05:27 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 20 April 2010 - 07:16 PM

I would be more than willing to try anything at this point to try and save my hard drive. Here's my current situation. On Sunday, April 18th at 12:30PM, I booted up my system with my Windows XP CD. I selected the repair option to bring up the Windows Recovery Console. I typed "CHKDSK c: /r" at the prompt and my computer immediately started running the check on my J: drive instead of the C: drive. My J: drive is a 1TB external drive with my entire music collection on it. The message on my computer screen is "CHKDSK is performing additional checking or recovery...". It's been running for almost 55 hours now. I'm afraid to try to stop it in any way for fear that it might corrupt my music collection. Do you have any suggestions?

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 21 April 2010 - 05:38 PM

Hello, cammaker.

Unfortunately no suggestions...I'd let it run. 1TB will take quite a while, but I agree that stopping it could be risky. That command should have worked. When that's done you can unplug your external HD and try the CHKDSK repair process again. Any luck with that?


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 21 April 2010 - 05:59 PM

Unfortunately, no luck yet. It's still running the test on the 1TB drive. It's been 78 hours now.

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 21 April 2010 - 06:01 PM

ok, keep me posted, please.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 22 April 2010 - 04:10 PM

CHKDSK is still running on the external drive. Just broke the 100 hour mark. I sent an email to Western Digital tech support today to see if they had a solution to stopping the drive test.

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 22 April 2010 - 05:57 PM

Here's an article that explains why CHKDSK may take some time. A 1 TB volume of a lot of smaller media files with the /R switch may take quite some time.

http://support.microsoft.com/default.aspx?...b;en-us;Q314835

Unfortunately, I've done some research and it doesn't appear you can really stop it once it starts..it has to go to completion. Is the % complete at least increasing?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 22 April 2010 - 06:04 PM

The message on the screen is still the same as when the test started "CHKDSK is performing additional checking or recovery...". I'm not sure that it's checking anything. The drive light on the external drive is still flashing indicating some sort of drive activity. There are no lights of any sort flashing on my computer. It's very frustrating.

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 23 April 2010 - 05:30 PM

still going? it could take longer since a USB connection is slower too, but this is started to get ridiculous.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 23 April 2010 - 05:36 PM

I finally gave up on the test on the external drive and stopped it at 125 hours. I rebooted the computer with the XP installation CD in the drive and brought up the Windows Recovery Console. As before, I typed in "CHKDSK C: /r" at the prompt and it ran just a second and flashed up the following message: "The volume appears to contain one or more unrecoverable problems." Are there any utility programs that might be able to help at this point?

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 23 April 2010 - 05:54 PM

That is bad and usually one of two things. If it's the NTFS system, the only way I know how is to reformat and start over. It could also be a physical issue with the hard drive itself. You can find the manufacturer specific diagnostic programs here:

http://www.bleepingcomputer.com/forums/t/28744/hard-drive-installation-and-diagnostic-tools/

We can try to recover your data, but you'll need a working computer with a CD burner...and an external hard drive with enough space. See below for how to create the boot disc. When you back up your data....do NOT back up program files, windows system files or anything like that. Only back up YOUR data...documents, photos, music, etc. When plugging into a clean computer, hold down shift before you plug it in until Windows recognizes the hard drive (maybe 30-60 seconds) so nothing autoruns. Then, scan the hard drive with an updated antivirus program before doing anything with the backup. Here's the instructions to create the backup CD:After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it.
  • Insert the CD-ROM into the CD-ROM drive, and then restart the computer.
  • If your PC is not booting from the CD, you need to change the boot order:
    • Restart your PC
    • As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key.
    • Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change.
    • Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order
    • The tab should now show your current boot order.
      If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be different, but they should be stated in the help, so that you can find them easily.
    • Once the CD-drive is on top of the boot order, navigate to Exit and select Exit saving changes.
    • Your PC should now boot from your CD.
    • Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
  • Please be patient as "Windows" loads
  • Your system should now display a REATOGO-X-PE desktop.

You can now backup your data.

Edited by etavares, 23 April 2010 - 05:56 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 cammaker

cammaker
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:01 PM

Posted 24 April 2010 - 11:49 PM

The boot disk worked incredibly well and I was able to back up all my critical data. You're a life saver. I backed up 196GB of data and didn't have a single glitch. It doesn't appear that there is very much wrong with the hard drive. I may run a check with Spinrite in the morning and see what it finds before swapping out the hard drive. Since McAfee let me down hard on this one, I don't feel like I have any protection at all. Some of my friends are recommending that I switch to Vipre. Do you have a favorite antivirus software that won't leave me in the cold like McAfee did?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users