Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Tidserv!gen4 & Trojan.FakeAV


  • This topic is locked This topic is locked
21 replies to this topic

#1 paliden

paliden

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 12 May 2010 - 11:52 PM

Hi, I could sure use some assistance with this virus removal.

On 5/5/2010 my computer was attacked by two really nasty viruses. Symantec Antivirus Corporate Edition (SAV10) indicated the following information.

1. Backdoor.Tidserv!gen4 filename=gckoxq.exe action=cleaned by deletion
2. Trojan.FakeAV filename=iovatpwtssd.exe action=partially removed

Incidentally, there were two earlier virus attacks about 6 and 8 months ago. Those attacks were handled by SAV10 and didn't have any obvious affect on my system. I can provide the full SAV10 Risk History log if that would be helpful.

The most obvious symptom was lots of troublesome network security warnings from the "fake AV". These were professional looking, high quality screens that were very convincing. Clicking on them took you to "their" website which promised to "fix" the problem if you purchased their AV software. I immediately left their website and found it got worse. Going to ANY legitimate website (like google.com) resulted in a warning that "Internet Explorer cannot display the webpage". I soon discovered that most common executables (like notepad and task manager) didn't work. Then every few minutes IE7 would connect to various unwanted websites (like viagra.com).

I disabled my wireless network access, and ran a Symantec Full Scan that identified the Trojan.FakeAV virus. I then booted up in Safe Mode and backed up all data files to an external USB hard drive. I ran only in Safe Mode for a few days while I explored my options. Everything worked ok in safe mode, except of course there is no network access in safe mode.

I haven't yet done anything to remove the virus (other than run SAV10). I'm not comfortable messing with the registry, and wouldn't know what to fix anyway. I did research virus removal on Symantec.com, but their website wasn't very helpful.

After reading your "Preparation Guide", I booted up in normal mode (with wireless network access disabled) and ran Defogger, DDS, and GMER. GMER ran overnight. After exiting GMER the next morning, the system was VERY slow. Taskmgr showed four processes using 100% of the cpu: HPTBLFX, RealSched, ALUSchedulerSvc, and ScvHost. Maybe they were trying to access the network even though it was disabled? I think HPTBLFX has something to do with Hewlett-Packard Camera ToolBox. I'm not sure about the others.

Booted again in normal mode. Notepad and task manager worked ok. I re-enabled wireless adapter and tried using the web browser. The troublesome popup security warnings are gone, but I still can't connect to any legitimate websites. I can access my email accounts using Outlook, Outlook Express, and Mozilla Thunderbird. I'm not sure what Symantec means by "partial removal" but perhaps SAV10 did partially eliminate the virus. I noticed the file "iovatpwtssd.exe" was listed twice in the DDS log, but it isn't listed as a running process in the task manager.

DDS, Attach, and Ark logs are pasted below. Thanks in advance for your help. Frank

######################################################################
DDS (Ver_10-03-17.01) - NTFSx86
Run by Frank at 23:06:14.28 on Tue 05/11/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.286 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesCommon FilesSymantec SharedccSetMgr.exe
C:Program FilesCommon FilesSymantec SharedccEvtMgr.exe
C:WINDOWSExplorer.EXE
C:Program FilesCommon FilesSymantec SharedPIF{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}PIFSvc.exe
C:Program FilesCommon FilesSymantec SharedSPBBCSPBBCSvc.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:PROGRA~1COMMON~1AOLACSAOLacsd.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
C:WINDOWSehomeehtray.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesSymantec AntiVirusDefWatch.exe
C:WINDOWSsystem32dlcfcoms.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:WINDOWSsystem32igfxpers.exe
C:WINDOWSstsystra.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaanotif.exe
C:Program FilesDellMedia ExperienceDMXLauncher.exe
C:WINDOWSSystem32DLADLACTRLW.EXE
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesIntuitQAgentQAGENT.EXE
C:Program FilesHPToolBoxFXbinHPTLBXFX.exe
C:WINDOWSsystem32HPZipm12.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesCommon FilesIntuitQuickBooksQBCFMonitorService.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:Program FilesCommon FilesSymantec SharedccApp.exe
C:PROGRA~1SYMANT~1vptray.exe
C:Program FilesCommon FilesNikonMonitorNkMonitor.exe
C:Program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:Program FilesiTunesiTunesHelper.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:WINDOWSsystem32ctfmon.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesDigital Line DetectDLG.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesSymantec AntiVirusRtvscan.exe
C:Program FilesMcAfee Security Scan1.0.150SSScheduler.exe
C:Program FilesWindows Desktop SearchWindowsSearch.exe
C:WINDOWSeHomeehmsas.exe
C:WINDOWSsystem32dllhost.exe
C:WINDOWSsystem32SearchIndexer.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32SearchProtocolHost.exe
C:WINDOWSsystem32wscntfy.exe
C:Documents and SettingsFrankDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061219
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
mWinlogon: Userinit=c:windowssystem32userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:program filescommon filesadobeacrobatactivexAcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.5.0_06binssv.dll
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier2.0.301.7164swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogletoolbar2.dll
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [gleawjub] c:documents and settingsfranklocal settingsapplication dataqursjifrgiovatpwtssd.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [HotKeysCmds] c:windowssystem32hkcmd.exe
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:program filesintelintel matrix storage managerIaanotif.exe
mRun: [DMXLauncher] c:program filesdellmedia experienceDMXLauncher.exe
mRun: [DLA] c:windowssystem32dlaDLACTRLW.EXE
mRun: [ISUSScheduler] "c:program filescommon filesinstallshieldupdateserviceissch.exe" -start
mRun: [D-Link AirPlus XtremeG] c:program filesd-linkairplus xtremegAirPlusCFG.exe
mRun: [ANIWZCS2Service] c:program filesanianiwzcs2 serviceWZCSLDR2.exe
mRun: [Symantec PIF AlertEng] "c:program filescommon filessymantec sharedpif{b8e1dd85-8582-4c61-b58f-2f227fca9a08}pifsvc.exe" /a /m "c:program filescommon filessymantec sharedpif{b8e1dd85-8582-4c61-b58f-2f227fca9a08}AlertEng.dll"
mRun: [QAGENT] c:program filesintuitqagentQAGENT.EXE
mRun: [ToolBoxFX] "c:program fileshptoolboxfxbinHPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [<NO NAME>]
mRun: [TkBellExe] "c:program filescommon filesrealupdate_obrealsched.exe" -osboot
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [ccApp] "c:program filescommon filessymantec sharedccApp.exe"
mRun: [vptray] c:progra~1symant~1vptray.exe
mRun: [Nikon Transfer Monitor] c:program filescommon filesnikonmonitorNkMonitor.exe
mRun: [GrooveMonitor] "c:program filesmicrosoft officeoffice12GrooveMonitor.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [gleawjub] c:documents and settingsfranklocal settingsapplication dataqursjifrgiovatpwtssd.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupdigita~1.lnk - c:program filesdigital line detectDLG.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmcafee~1.lnk - c:program filesmcafee security scan1.0.150SSScheduler.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupquickb~1.lnk - c:program filescommon filesintuitquickbooksqbupdateqbupdate.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupwindow~1.lnk - c:program fileswindows desktop searchWindowsSearch.exe
IE: &ieSpell Options - c:program filesiespelliespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:windowssystem32GPhotos.scr/200
IE: Check &Spelling - c:program filesiespelliespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:progra~1micros~2office12EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:program filesiespellMerriam Webster.HTM
IE: Lookup on Wikipedia - file://c:program filesiespellwikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:program filesiespelliespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:program filesiespelliespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:program filesjavajre1.5.0_06binssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:program filesdelicious add-on for internet explorerDeliciousExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://ra.ppg.com/citrix/ICAWEB/en/ica32/ica32t.exe
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/50.14/uploader2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222575490321
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://my.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:program filesmicrosoft officeoffice12GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:program filesintuitquickbooks 2008HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:windowssystem32mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:windowssystem32NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:program filesmicrosoft officeoffice12GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:program fileswindows desktop searchMSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:program filessymantec antivirussavrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:program filessymantec antivirusSavrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:program filescommon filessymantec sharedccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:program filescommon filessymantec sharedccSetMgr.exe [2007-5-29 169576]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 mrtRate;mrtRate;c:windowssystem32driversMRTRATE.SYS [2007-2-4 36404]
R2 Symantec AntiVirus;Symantec AntiVirus;c:program filessymantec antivirusRtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:program filescommon filessymantec sharedeengineEraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:progra~1common~1symant~1virusd~120100505.004naveng.sys [2010-5-5 84912]
R3 NAVEX15;NAVEX15;c:progra~1common~1symant~1virusd~120100505.004navex15.sys [2010-5-5 1324720]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:windowssystem32driversA3AB.sys [2005-3-22 450400]
S3 SavRoam;SAVRoam;c:program filessymantec antivirusSavRoam.exe [2007-10-7 116664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:program filesmicrosoft visual studio 8common7ideremote debuggerx86msvsmon.exe [2006-12-2 2805000]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-05-12 03:02:53 0 ----a-w- c:documents and settingsfrankdefogger_reenable
2010-05-07 11:51:52 552 ----a-w- c:windowssystem32d3d8caps.dat
2010-05-01 21:56:09 24832 ----a-w- c:windowssystem32driverslgusbmodem.sys
2010-05-01 21:56:09 19968 ----a-w- c:windowssystem32driverslgusbdiag.sys
2010-05-01 21:56:09 13056 ----a-w- c:windowssystem32driverslgusbbus.sys
2010-05-01 21:56:09 0 d-----w- c:program filesLG Electronics
2010-04-24 01:19:02 0 d-----w- C:_Symantec SEP11

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:windowssystem32dllcacheieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:windowssystem32dllcacheie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:windowssystem32vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:windowssystem32dllcachevbscript.dll
2010-02-24 13:11:07 455680 ------w- c:windowssystem32dllcachemrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:windowssystem32dllcacheiexplore.exe
2010-02-23 05:18:28 161792 ------w- c:windowssystem32dllcacheieakui.dll
2010-02-19 23:47:50 3604480 ----a-w- c:windowssystem32GPhotos.scr
2010-02-17 13:10:28 2189952 ------w- c:windowssystem32dllcachentoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:windowssystem32ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:windowssystem32dllcachentkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:windowssystem32dllcachentkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:windowssystem32ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:windowssystem32dllcachentkrpamp.exe
2010-02-12 04:33:11 100864 ----a-w- c:windowssystem326to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:windowssystem32dllcache6to4svc.dll
2010-02-11 12:02:15 226880 ------w- c:windowssystem32dllcachetcpip6.sys
2009-07-10 04:39:08 88 --sh--r- c:windowssystem324F7D108408.sys
2009-07-10 04:41:19 2516 --sha-w- c:windowssystem32KGyGaAvL.sys
2009-04-09 23:29:12 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012009040920090410index.dat

============= FINISH: 23:07:03.78 ===============



######################################################################
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: DeviceHarddiskVolume2
Install Date: 12/25/2006 1:47:23 PM
System Uptime: 5/11/2010 10:55:00 PM (1 hours ago)

Motherboard: Dell Inc. | | 0WG864
Processor: IntelŪ PentiumŪ 4 CPU 3.06GHz | Microprocessor | 3059/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 26.193 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: IntelŪ 82562V 10/100 Network Connection
Device ID: PCIVEN_8086&DEV_104C&SUBSYS_01DD1028&REV_023&172E68DD&0&C8
Manufacturer: Intel
Name: IntelŪ 82562V 10/100 Network Connection
PNP Device ID: PCIVEN_8086&DEV_104C&SUBSYS_01DD1028&REV_023&172E68DD&0&C8
Service: e1express

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)
Device ID: PCIVEN_168C&DEV_0013&SUBSYS_3A131186&REV_014&1B02CB0B&0&10F0
Manufacturer: D-Link
Name: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)
PNP Device ID: PCIVEN_168C&DEV_0013&SUBSYS_3A131186&REV_014&1B02CB0B&0&10F0
Service: A3AB

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.2
AirPlus XtremeG
America Online (Choose which version to remove)
ANIO Service
ANIWZCS2 Service
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3.5
ArcSoft Panorama Maker 4
Bonjour
Bullzip PDF Printer 6.0.0.766
CameraDrivers
Capture NX 2
Citrix ICA Client
Conexant D850 56K V.9x DFVc Modem
Corel Snapfire Plus
CreativeProjects
Critical Update for Windows Media Player 11 (KB959772)
Delicious Add-on for Internet Explorer
Dell CinePlayer
Dell Driver Reset Tool
Dell Game Console
Dell Support 3.2.1
Dell System Restore
Digital Content Portal
Digital Line Detect
Director
Documentation & Support Launcher
EarthLink Setup Files
ESPNMotion
File Uploader
Free Easy Burner V 3.9
Games, Music, & Photos Launcher
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
GemMaster Mystic
Google Toolbar for Internet Explorer
GPL Ghostscript Lite 8.63
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 4.7
HP Image Zone 3.5
HP LaserJet 3050/3052/3055/3390/3392 2.0
HP Photosmart Cameras 3.5
HP Update
hpmdtab
hpp3390usg
hppFaxDrv3390
hppFaxUtility
hppFonts
hppIOFiles
hppLJ3390
hppManuals3390
hppscan3390
hppScanTo
hppSendFax
hppTooCool
hppToolBoxFX
HPSystemDiagnostics
hpzTLBXFX
ieSpell
InstantShare
IntelŪ Graphics Media Accelerator Driver
IntelŪ Matrix Storage Manager
IntelŪ PRO Network Connections
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Juniper Citrix Services Client
Juniper Networks Host Checker
Learn2 Player (Uninstall Only)
LG USB Modem driver
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
MarketResearch
McAfee Security Scan
Memories Disc Creator 2.0
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Basic Edition 2003
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Visual Studio 2005 Professional Edition - ENU Service Pack 1 (KB926601)
Modem Helper
Move Media Player
Mozilla Thunderbird (2.0.0.24)
MSDN Library for Visual Studio 2005
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
NetWaiting
Nikon Message Center
Nikon Transfer
Notepad++
Otto
PhotoGallery
Picasa 3
Picture Control Utility
QFolder
QuickBooks Simple Start 2008
Quicken 2009
QuickProjects
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scan
SearchAssist
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937061)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB947738)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB971023)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB971090)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB973673)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SkinsHP1
SkinsHP2
SolveIT! v5.7
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spelling Dictionaries Support For Adobe Reader 9
SupportSoft Assisted Service
Symantec AntiVirus
TaxACT 2007
TaxACT 2008
TaxACT 2008 Pennsylvania
TaxACT 2009
TaxACT 2009 Pennsylvania
TrayApp
TurboTax Deluxe Deduction Maximizer 2006
TurboTax Home & Business 2007
TurboTax ItsDeductible 2006
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
ViewNX
Viewpoint Media Player
WebFldrs XP
WebReg
WexTech AnswerWorks
WildTangent Web Driver
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Search 4.0
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
WinZip

==== Event Viewer Messages From Past Week ========

5/8/2010 9:02:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
5/7/2010 9:18:50 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/7/2010 9:18:02 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
5/7/2010 7:00:22 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/7/2010 6:58:17 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRT SAVRTPEL SPBBCDrv SYMTDI Tcpip
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:58:17 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/7/2010 6:57:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/11/2010 10:57:38 PM, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/11/2010 10:57:37 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.

==== End Of File ===========================


######################################################################
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-12 07:36:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:DOCUME~1FrankLOCALS~1Tempfglcraoc.sys


---- System - GMER 1.0.15 ----

SSDT 864EC7E8 ZwAlertResumeThread
SSDT 8651C7E8 ZwAlertThread
SSDT 86521650 ZwAllocateVirtualMemory
SSDT 8631A3C0 ZwConnectPort
SSDT 864E1A30 ZwCreateMutant
SSDT 864FFA98 ZwCreateThread
SSDT ??C:WINDOWSsystem32DriversSYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA5F02350]
SSDT 8655EF38 ZwFreeVirtualMemory
SSDT 864E6930 ZwImpersonateAnonymousToken
SSDT 864EBD58 ZwImpersonateThread
SSDT 864EB5B0 ZwMapViewOfSection
SSDT 86521D10 ZwOpenEvent
SSDT 864F0780 ZwOpenProcessToken
SSDT 864FED10 ZwOpenThreadToken
SSDT 86526C08 ZwQueryValueKey
SSDT 8645F1F0 ZwResumeThread
SSDT 864FB550 ZwSetContextThread
SSDT 8651D630 ZwSetInformationProcess
SSDT 864F5BE8 ZwSetInformationThread
SSDT ??C:WINDOWSsystem32DriversSYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA5F02580]
SSDT 8644C570 ZwSuspendProcess
SSDT 864EFDA8 ZwSuspendThread
SSDT 864FAEA8 ZwTerminateProcess
SSDT 864F2CE8 ZwTerminateThread
SSDT 8651E5D0 ZwUnmapViewOfSection
SSDT 8655DAD8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C00 8050449C 8 Bytes CALL 68D69368

---- User code sections - GMER 1.0.15 ----

.text C:WINDOWSsystem32SearchIndexer.exe[4040] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:WINDOWSsystem32MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice FileSystemNtfs Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice DriverTcpip DeviceIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice DriverTcpip DeviceTcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice DriverTcpip DeviceUdp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice DriverTcpip DeviceRawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A3489D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device FileSystemCdfs Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----
Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 13 May 2010 - 08:56 AM


Hello paliden,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 14 May 2010 - 06:28 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 14 May 2010 - 11:28 PM

Hi Fireman,

Yes, I'm still here. I just received an email notification about your two replies when I got home from work this evening. I should have been checking the forum topic as well. By the way, I don't know what happened to all the back-slashes in DDS.txt in my original post. They were ok in my original DDS.txt file, but somehow didn't survive being copied into the BleepingComputer post. I didn't realize they were missing until after I sent it out.

I temporarily disabled "Auto-Protect" in SAV10 Corporate Edition. I think this disabled the Norton firewall as well, but I'm not sure about that.

Then I ran RKILL without any trouble. The only thing RKILL did was terminate a Symantec process called "PIFSvc.exe".

I also ran COMBOFIX without any trouble. It created a System Restore Point. Then it downloaded the MS Recovery Console, which installed ok. After that, it performed its Malware Scan and produced the ComboFix.txt logfile. I don't fully understand most of the information in the ComboFix logfile, but it found and deleted the "iovatpwtssd.exe" file that SAV10 only "partially removed". ComboFix apparently re-enabled SAV10 as well, because it was already enabled when I checked.

My computer is running much better now. Many of the original symptoms disappeared after running SAV10 in safe mode:
-- The troublesome popup security warnings are gone,
-- Email access is ok with Outlook and Mozilla Thunderbird,
-- Executables like Notepad and TaskMgr run ok.

After running Rkill and ComboFix, internet access is working as well. At least I'm not getting "IE cannot display the webpage" when trying to go to legitimate websites. So far, I haven't found anything that doesn't work. Thanks again for your help.

ComboFix log is pasted below. Regards, Frank

##########################################################################################

ComboFix 10-05-14.06 - Frank 05/14/2010 22:17:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.312 [GMT -4:00]
Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Frank\Local Settings\Application Data\qursjifrg
c:\documents and settings\Frank\Local Settings\Application Data\qursjifrg\iovatpwtssd.exe

.
((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-15 01:35 . 2010-05-15 01:35 -------- d-----w- c:\windows\LastGood
2010-05-07 11:51 . 2010-05-07 11:51 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-06 06:07 . 2010-05-06 06:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\Delicious IE Extension
2010-05-01 21:56 . 2010-05-01 21:56 -------- d-----w- c:\program files\LG Electronics
2010-05-01 21:56 . 2008-11-11 17:42 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2010-05-01 21:56 . 2008-11-11 17:41 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2010-05-01 21:56 . 2008-11-11 17:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2010-04-24 01:19 . 2010-04-24 01:20 -------- d-----w- C:\_Symantec SEP11

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 02:14 . 2010-04-01 23:20 439816 ----a-w- c:\documents and settings\Frank\Application Data\Real\Update\setup3.10\setup.exe
2010-05-15 01:57 . 2009-03-30 02:56 -------- d-----w- c:\program files\Symantec AntiVirus
2010-05-14 03:38 . 2008-11-27 17:46 -------- d-----w- c:\documents and settings\Frank\Application Data\Delicious IE Extension
2010-05-14 03:32 . 2009-07-04 03:53 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-14 00:20 . 2008-09-28 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-01 21:56 . 2006-12-19 08:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-21 20:42 . 2008-03-30 19:19 -------- d-----w- c:\program files\2nd Story Software
2010-03-16 07:54 . 2010-03-16 05:49 -------- d-----w- c:\program files\Free Easy Burner
2010-03-11 12:38 . 2005-08-16 09:18 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-16 09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-27 14:49 . 2010-02-27 14:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-24 13:11 . 2005-08-16 09:18 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-22 19:54 . 2006-12-19 08:58 92544 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 14:08 . 2005-08-16 09:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-04 03:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-10 04:39 . 2007-01-15 00:41 88 --sh--r- c:\windows\system32\4F7D108408.sys
2009-07-10 04:41 . 2007-01-15 00:41 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"D-Link AirPlus XtremeG"="c:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2005-03-28 1011712]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"QAGENT"="c:\program files\Intuit\QAgent\QAGENT.EXE" [2000-01-21 98304]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2006-02-02 45056]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-28 185872]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-10-08 125368]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-15 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-19 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-10-22 972064]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\dlcfcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Frank\\Application Data\\Juniper Networks\\Juniper Citrix Services Client\\dsCitrixProxy.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 mrtRate;mrtRate;c:\windows\system32\drivers\MRTRATE.SYS [2/4/2007 11:43 PM 36404]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 8:17 PM 450400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 8:01 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: turbotax.com
.
.
------- File Associations -------
.
.txt=Notepad++_file
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gleawjub - c:\documents and settings\Frank\Local Settings\Application Data\qursjifrg\iovatpwtssd.exe
HKLM-Run-gleawjub - c:\documents and settings\Frank\Local Settings\Application Data\qursjifrg\iovatpwtssd.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2010-05-14 22:27:02
ComboFix-quarantined-files.txt 2010-05-15 02:26

Pre-Run: 27,782,807,552 bytes free
Post-Run: 29,246,431,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - C4D343CCF6BA0C1BFE68CB32A33902D5







Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 15 May 2010 - 10:54 AM

Hello paliden,

Glad to here things are back to normal. You had a nasty infection which effects your browsers. Things look real good in your logs. Let's update some programs and do some final checking. whistling.gif

1.
New Adobe Reader Installation:
  • Go here and click on the Download button to download the latest version of Adobe Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

2.
Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Things to include in your next reply::
MBAM log
Eset log
A new DDS.txt
Don't need Attach.txt this time
How is your machine running?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 16 May 2010 - 12:36 AM

Hi Fireman,

I had trouble installing the new Adobe Reader on top of my existing version. Tried twice and kept getting network error 1316 attempting to read "AdbeRdr930_en_us.msi". I ended up removing the existing version altogether, and then reinstalling the new one again. I then upgraded the newly installed version (9.3.0) to the latest version (9.3.2).

I ran MBAM Quick Scan without any trouble, and it didn't find any infections.

I started running ESET but it's taking a really long time to complete. I'm using my laptop to send this reply since the desktop computer is busy running ESET.

I did another Semantec full scan last night, and it found another new virus called "SpywareGuard2008" (file: A1055244.exe) which was cleaned by deletion. It also found the Trojan.FakeAV again (also in file: A1055244.exe) which was cleaned by deletion. Furthermore, it said it could "repair" the FakeAV in quarintine. I opted to leave it in quarintine for now. Somehow I've lost confidence in SAV10.

My "infected" desktop system is still running ok. I've not seen a recurrance of the original virus symptoms, or any other problems. Looking good so far.

ESET is still running. I'll let it finish overnight and post both logs in the morning. Sorry for the delay.

Regards, Frank
Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 16 May 2010 - 12:43 AM

Hello,

Those files SAV10 found where no biggie they where a system restore file. We will deal with those once we know the machine is clean. whistling.gif

I will wait patiently for your logs. thumbup2.gif

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 16 May 2010 - 08:09 AM

Hi Fireman, thanks for your patience.

ESET finally finished about 2:30am after 3.5hrs of scanning. It didn't find any virus threats. I thought I lost the ESET logfile. I didn't see any buttons to list found threats or export to textfile, probably skipped a step, and pressed the "back" button when the scan finished. Eventually found log.txt in c:\program files\eset\.

Anyway MBAM, ESET, and DDS logs are pasted below. Regards, Frank

######################################################

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

5/15/2010 11:13:26 PM
mbam-log-2010-05-15 (23-13-26).txt

Scan type: Quick scan
Objects scanned: 141904
Time elapsed: 9 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

######################################################

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17023 (vista_gdr.100222-0012)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b5619c3978019a4ba48eafa8ddd21b61
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-05-16 07:08:19
# local_time=2010-05-16 03:08:19 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=120684
# found=0
# cleaned=0
# scan_time=12864

######################################################


DDS (Ver_10-03-17.01) - NTFSx86
Run by Frank at 8:16:47.56 on Sun 05/16/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.474 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\dlcfcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intuit\QAgent\QAGENT.EXE
C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Delicious Add-on for Internet Explorer\DeliciousManager.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Frank\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CDelHotkeys Object: {78875f5c-a685-4405-8dc5-d48dc65452b0} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Delicious Toolbar: {61d1c847-df80-423a-8c6d-dc03b97e6ebe} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Delicious Sidebar: {9d19c405-ba93-461b-871f-97992cc45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [D-Link AirPlus XtremeG] c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QAGENT] c:\program files\intuit\qagent\QAGENT.EXE
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {2C887991-08F0-11DC-A9B2-0012F0B227DD} - {B8D8B1D0-83AF-451B-8CD9-8F1BF4ED8FEA} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887992-08F0-11DC-A9B2-0012F0B227DD} - {9D19C405-BA93-461b-871F-97992CC45972} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {2C887993-08F0-11DC-A9B2-0012F0B227DD} - {4D3D441F-9543-4941-B664-2EDCF9FC1B56} - c:\program files\delicious add-on for internet explorer\DeliciousExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://ra.ppg.com/citrix/ICAWEB/en/ica32/ica32t.exe
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/50.14/uploader2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222575490321
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://my.ppg.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 mrtRate;mrtRate;c:\windows\system32\drivers\MRTRATE.SYS [2007-2-4 36404]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-27 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100515.004\naveng.sys [2010-5-15 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100515.004\navex15.sys [2010-5-15 1347504]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

============== File Associations ===============

.txt=Notepad++_file

=============== Created Last 30 ================

2010-05-16 03:30:37 0 d-----w- c:\program files\ESET
2010-05-16 02:59:48 0 d-----w- c:\docume~1\frank\applic~1\Malwarebytes
2010-05-16 02:59:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 02:59:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-16 02:59:17 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-16 02:59:16 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-15 02:10:45 0 d-sha-r- C:\cmdcons
2010-05-15 02:05:50 98816 ----a-w- c:\windows\sed.exe
2010-05-15 02:05:50 77312 ----a-w- c:\windows\MBR.exe
2010-05-15 02:05:50 256512 ----a-w- c:\windows\PEV.exe
2010-05-15 02:05:50 161792 ----a-w- c:\windows\SWREG.exe
2010-05-15 02:05:42 0 d-----w- C:\ComboFix
2010-05-12 03:02:53 0 ----a-w- c:\documents and settings\frank\defogger_reenable
2010-05-07 11:51:52 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-01 21:56:09 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2010-05-01 21:56:09 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2010-05-01 21:56:09 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2010-05-01 21:56:09 0 d-----w- c:\program files\LG Electronics
2010-04-24 01:19:02 0 d-----w- C:\_Symantec SEP11

==================== Find3M ====================

2010-03-10 13:18:21 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 11:09:18 430080 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-10 04:39:08 88 --sh--r- c:\windows\system32\4F7D108408.sys
2009-07-10 04:41:19 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-04-09 23:29:12 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009040920090410\index.dat

============= FINISH: 8:17:36.48 ===============

######################################################
[end of reply]
Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 16 May 2010 - 03:33 PM

Hello paliden,

1.
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

2.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall



    between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".

3.
Congratulations! You now appear clean! specool.gif

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install and maintain an outbound firewall
  2. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  3. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  4. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  5. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    1. Click the "Start Menu" (or Windows Orb)
    2. Click "All Programs"
    3. Click "Windows Update"
    4. On the left, choose "Change Settings"
    5. Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    6. Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    7. Click "Check for Updates" in the upper left corner.
    8. Follow the instructions to install the latest updates.
    9. Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  6. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  7. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing sad.gif.




" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 17 May 2010 - 07:30 AM

Hi Fireman,

My system is still running good. I'm glad you think my computer is now "clean". Thanks again for your help.

I did some reading in the Spyware Removal section of bleepingcomputer and kicked myself for not writing down more specific symptoms about my fakeAV virus (like website name & message texts). However, looking at the list of latest viruses, I believe it to be the "Antispyware Soft" virus. The screen shots and fake warning message texts look familiar. My symptoms were almost exactly like the ones described in the Removal Guide article.

Last night, I got partway through your last instructions when the bleepingcomputer's website went down. Two different computers showed the same browser error. Other websites worked ok, so I believe the problem was with bleepingcomputer's website. When I tried again this morning, the website was working. I wanted to let you know what I've done so far...

I removed my old JAVA version, and installed JRE 6u20 without any trouble.

I also performed the Combofix /Uninstall without any trouble.

I'll finish the rest this evening after work, and post again.

Regards, Frank
Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 17 May 2010 - 05:18 PM

Hello,

QUOTE
Last night, I got partway through your last instructions when the bleepingcomputer's website went down. Two different computers showed the same browser error. Other websites worked ok, so I believe the problem was with bleepingcomputer's website. When I tried again this morning, the website was working.


Yes Bleeping Computer was down for a little while performing routine maintenance.

Glad to hear your machine is running good! clapping.gif Your most welcome for the help.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 18 May 2010 - 12:17 AM

Hi Fireman,

I finished the rest of the cleanup process per your last post.
-- Installed JRS 6u20
-- Ran Combofix /uninstall
-- Ran OTC
-- Downloaded StartupLite, but haven't tried using it yet.


I appreciate your other recommendations and suggestions as well.

--FIREWALLS. I'm using the standard Windows Firewall, and a DLink Wireless Hub that also provides a hardware firewall. I'll read the Firewall Tutorial and see if they can be configured better. I know this is a complicated subject, but I'd appreciate any suggestions.

--HOSTS. I downloaded and installed MVPS Hosts file and HostMan file manager. My existing Hosts file was minimal, it had only one entry (for localhost = 127.0.0.1). I also ran services.msc to stop DNS Client. I need to explore HostMan a bit more...

--WINDOWS UPDATES. Automatic updates are turned on. Isn't that the same as going to update.microsoft.com?

--SAV10. Symantec Corporate Edition also automatically updates its virus definitions daily. Now, when SAV10 updates its virus definitions, it wants to "repair" the quarintined FakeAV. Should I let it do that, or simply keep it in quarintine?

--ANTI-SYPWARE TOOLS. I'm getting a bit confused about the many anti-spyware tools, and perhaps a bit disappointed in SAV10 letting this virus get through. Can MBAM, SuperAntiSpyware and/or SpywareBlaster co-exist with SAV10? Sounds like more is better.

Regards, Frank



Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 18 May 2010 - 06:23 PM

Hello,

QUOTE
-FIREWALLS. I'm using the standard Windows Firewall, and a DLink Wireless Hub that also provides a hardware firewall. I'll read the Firewall Tutorial and see if they can be configured better. I know this is a complicated subject, but I'd appreciate any suggestions.

You actually have another Firewall. SAV10 also has a built in Firewall.
CODE
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

There is your other Firewall. smile.gif


QUOTE
WINDOWS UPDATES. Automatic updates are turned on. Isn't that the same as going to update.microsoft.com?

Yes that is ok. We just have users go to update their machine because alot of these infection disable windows update. Then after we get your machine clean it works again.

QUOTE
--SAV10. Symantec Corporate Edition also automatically updates its virus definitions daily. Now, when SAV10 updates its virus definitions, it wants to "repair" the quarintined FakeAV. Should I let it do that, or simply keep it in quarintine?

I would keep it in quarantine.

QUOTE
-ANTI-SYPWARE TOOLS. I'm getting a bit confused about the many anti-spyware tools, and perhaps a bit disappointed in SAV10 letting this virus get through. Can MBAM, SuperAntiSpyware and/or SpywareBlaster co-exist with SAV10? Sounds like more is better.

Multiple antispy tools is ok. You just don't want multiple Antivirus.They will conflict with each other.
There is not one single program that picks up every virus as they are constantly changing. SAV10 is a good AV.

Edited by fireman4it, 18 May 2010 - 06:24 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:48 PM

Posted 20 May 2010 - 09:08 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 1-2 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 paliden

paliden
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Carlisle, Pa
  • Local time:11:48 PM

Posted 21 May 2010 - 06:14 PM

Fireman,

I don't know what happened??? I just entered a long detailed reply, pressed 'preview post' and 'add reply' and everything disappeared!

Don't close me out. I'll re-enter the post again tonight. Next time, I'll save to notepad before sending.

Regards, Frank
Dell Dimension DM061 | Dual Pentium 4 (3Ghz) | 1G Ram | 80GB HD | DLink DI-624 router |
Win XP Media Center SP3 | IE7 | SAV10 corp ed | MBAM | SpywareBlaster | SuperAntiSpyware | MVPS Hosts |






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users