Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus/Malware frustration


  • This topic is locked This topic is locked
3 replies to this topic

#1 afdarlington

afdarlington

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 17 April 2010 - 08:15 AM

Hi folks, I have attempted to run GMER, and I can see it complete its cycle, but as soon as I try to copy the log to the clipboard or save it, the system blue screens and restarts.

Unsure what originally infected me, but has the Antivirus Virus that took over my security panel, and later left me with search redirects. I have been able to get search working again, and no more fake alerts, but still cannot manually connect to Windows update in explorer or from the start menu.

DDS logs attached and posted below. thanks for help in advance!

~AD


DDS (Ver_10-03-17.01) - NTFSx86
Run by Primary User at 16:20:22.57 on Fri 04/16/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.479 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\thpsrv.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\toshiba\ivp\ism\pinger.exe
C:\PROGRA~1\McAfee\MHN\McENUI.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Primary User\Desktop\Defogger.exe
C:\Documents and Settings\Primary User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Google Side Bar: {32004b8a-44a9-43e7-84e9-808838809519} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TFncKy] TFncKy.exe
mRun: [ThpSrv] thpsrv /logon
mRun: [NDSTray.exe] NDSTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[1].exe" /scan:boot
StartupFolder: c:\docume~1\primar~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\network usb hub control center\Connect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-4-6 6144]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 214664]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-24 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-24 33024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-4-27 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-4-27 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-4-27 144704]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-2-24 3456]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-3-6 98304]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-4-27 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-4-27 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-4-27 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-27 40552]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-3-15 79232]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-27 135664]
S3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-4-5 35968]
S3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\manycam.sys --> c:\windows\system32\drivers\ManyCam.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-27 34248]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2010-4-6 58240]

=============== Created Last 30 ================

2010-04-16 20:19:00 0 ----a-w- c:\documents and settings\primary user\defogger_reenable
2010-04-16 15:34:32 0 d-s---w- C:\ComboFix
2010-04-15 17:24:13 54156 ---ha-w- c:\windows\QTFont.qfn
2010-04-15 17:24:13 1409 ----a-w- c:\windows\QTFont.for
2010-04-14 03:21:26 0 d-----w- c:\docume~1\primar~1\applic~1\ElevatedDiagnostics
2010-04-13 02:57:05 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-12 07:00:32 0 d-sha-r- C:\cmdcons
2010-04-12 06:55:11 98816 ----a-w- c:\windows\sed.exe
2010-04-12 06:55:11 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 06:55:11 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 06:55:11 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 04:34:40 4531 ----a-w- c:\windows\wininit.ini
2010-04-12 03:59:02 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-12 03:59:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-04-12 01:49:27 0 d-----w- c:\program files\Trend Micro
2010-04-12 01:17:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-12 01:17:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-12 01:17:29 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-11 22:15:36 602 --sha-r- c:\documents and settings\primary user\ntuser.pol
2010-04-11 22:07:24 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-11 20:16:10 0 d-----w- c:\windows\pss
2010-04-06 13:57:02 0 d-----w- c:\docume~1\primar~1\applic~1\Smith Micro
2010-04-06 13:52:10 65536 ----a-w- c:\windows\system32\pxfhwmcp.dll
2010-04-06 13:52:10 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2010-04-06 13:52:10 14336 ----a-w- c:\windows\system32\PTDCCID.dll
2010-04-06 13:52:09 58240 ----a-w- c:\windows\system32\drivers\PTDCWWAN.sys
2010-04-06 13:52:09 41728 ----a-w- c:\windows\system32\drivers\PTDCMdm.sys
2010-04-06 13:52:09 39808 ----a-w- c:\windows\system32\drivers\PTDCVsp.sys
2010-04-06 13:52:09 27520 ----a-w- c:\windows\system32\drivers\PTDCBus.sys
2010-04-06 13:14:06 0 d-----w- c:\program files\PANTECH
2010-04-06 13:13:49 0 d-----w- c:\program files\Verizon Wireless
2010-04-06 13:11:14 17152 -c--a-w- c:\windows\system32\dllcache\usbohci.sys
2010-04-06 13:11:14 17152 ----a-w- c:\windows\system32\drivers\usbohci.sys
2010-04-04 03:50:20 0 d-----w- c:\program files\MSECache

==================== Find3M ====================

2010-04-16 17:08:40 96512 ----a-w- c:\windows\system32\drivers\tsk16.tmp
2010-04-14 07:41:54 16768 ----a-w- c:\windows\system32\drivers\TVALZ.SYS
2010-04-12 07:05:52 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-09-29 00:05:43 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009092820090929\index.dat

============= FINISH: 16:21:35.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:28 PM

Posted 22 April 2010 - 06:45 AM

Hello, afdarlington

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please paste your logs rather than attaching them, it makes it much easier and quicker to analyse.


ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Edited by Jat90, 22 April 2010 - 06:50 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 afdarlington

afdarlington
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 22 April 2010 - 08:31 AM

Jat 90,

Thanks for your response. Unsure of how long I would be waiting for assistnace, I forged ahead (or backward as one might think) - located a recovery disk and reinstalled windows last night. Everything appears to be working swimmingly at the moment. Please close this topic.

Once again, I appreciate your reply.

~AFD

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:01:28 PM

Posted 22 April 2010 - 08:46 AM

Ok, no problem smile.gif

Since the problem appears to be resolved, this topic is now Closed.
If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users