Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dealing with the aftermath of sdra64.exe, bn.exe, etc


  • This topic is locked This topic is locked
5 replies to this topic

#1 bobbathejobba

bobbathejobba

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 02 June 2010 - 02:36 PM

A couple of months back I picked up the "Internet Antivirus Pro" virus which slipped past McAfree and dealt with it via StopZilla. But it still kept gettin gpicked up and deleted. No other problems.

However recently both IE/Firefox either don't open or allow you to open the first page that you go to (however you get there) but then they crash as soon as you go to any other page...
As well as other freezing, non-access (eg CTRL+ALT+DEL often doesn't work) and crashing issues and a very strange font change to the whole windows...

Hunting around I found through various forums that my userinit registry key had been altered to:

c:\windows\system32\userinit.exe,c:\documents and settings\localservice\application,c:\documents and settings\localservice\application,c:\windows\temp\bn.exe,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application,C:\Documents and Settings\LocalService\Application

With the use of "Process Explorer" I was able to halt and remove bn.exe and by relabelling the registry key and then restarting I was able to reduce the key to:

c:\windows\system32\userinit.exe

(As previous edits didn't remove the bn.exe)

I also removed the system restore so I didn't keep reinfecting myself - and finally seemed to be getting somewhere. However, IE/Firefox are still not working (despite repeated clean bills of health from McAfree and Stopzilla). Proceeding through the preparation guide the computer kept crashing to a blue screen when running gmer. By repeatedly using copy and paste to an open word pad I have managed to get 2½ hrs of its working - it crashed last time in the c:\\windows\pchealth folder - possibly because I was trying to do save as on the text document at the time. So the log is incomplete - if there is a way to start from this location rather than keep repeating until I get beyond 2½ hrs then please do tell.

Attached are the requested files and the log is below.

Thank you ever so much for your help in advance - I will respond as quickly as I can (given that I have to use another computer to be able to access the internet at all).


DDS (Ver_10-03-17.01) - NTFSx86
Run by John at 13:17:36.62 on 02/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1527.481 [GMT 1:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
svchost.exe "C:\WINDOWS\system32\00THotkeyt.exe"
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Service\krdevctl.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Toshiba\3GUty\tw3gsvc.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\3GUty\TW3GCTRL.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\STOPzilla!\SZOptions.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SrchHook Class: {f4f10c1d-87c7-404a-b4b3-000000000000} - c:\progra~1\dap\SBSearch.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: SBCONVERT Class: {31b27f2d-6bc6-451b-b3d2-4eab36b2fc3b} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [{897095E4-B4F1-82F5-9B8C-ACD657C2DD95}] "c:\documents and settings\john\application data\hituhu\izib.exe"
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Kraidman] c:\program files\toshiba\toshiba raid\console\Kraidman.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TOSHIBA_3G_UTY] c:\program files\toshiba\3guty\TW3GCTRL.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nonep] c:\windows\temp\26.tmp
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\docume~1\john\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: psfus - psqlpwd.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\e7lpqbiy.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\e7lpqbiy.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-2-24 173328]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-27 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-1-31 6144]
R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-1-14 72992]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.SYS [2006-9-27 5888]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-22 353672]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2008-11-21 1078560]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-2-24 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-2-24 33024]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-8-22 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-2-24 3456]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.EXE [2006-9-27 114688]
R2 TW3GSVC;TW3GService;c:\program files\toshiba\3guty\tw3gsvc.exe [2006-9-27 65536]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-1-31 35968]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-8-22 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-8-22 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-8-22 168776]
R3 NWTshModem;Novatel Wireless Broadband Modem Driver;c:\windows\system32\drivers\nwtshmdm.sys [2006-1-6 77056]
R3 NWTshPort;Novatel Wireless Broadband Status Port Driver;c:\windows\system32\drivers\nwtshser.sys [2006-1-6 77056]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2008-8-23 60255]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2006-1-31 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2006-9-27 595072]
R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2006-1-31 14208]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S2 AlerterCryptSvc;Alerter AlerterCryptSvc;c:\windows\system32\aaaamonz.exe srv --> c:\windows\system32\aaaamonz.exe srv [?]
S2 AlerterTrkWks;Alerter AlerterTrkWks;c:\windows\system32\00thotkeyt.exe srv --> c:\windows\system32\00THotkeyt.exe srv [?]
S2 ALGbckwfs;Application Layer Gateway Service ALGbckwfs;c:\windows\system32\activedsj.exe srv --> c:\windows\system32\activedsj.exe srv [?]
S2 CiSvcBITS;Indexing Service CiSvcBITS;c:\windows\system32\admparsex.exe srv --> c:\windows\system32\admparsex.exe srv [?]
S2 COMSysAppAlerterCryptSvc;COM+ System Application COMSysAppAlerterCryptSvc;c:\windows\system32\1031k.exe srv --> c:\windows\system32\1031k.exe srv [?]
S2 dmadminhelpsvc;Logical Disk Manager Administrative Service dmadminhelpsvc;c:\windows\system32\actxprxyv.exe srv --> c:\windows\system32\actxprxyv.exe srv [?]
S2 EvtEngAudioSrv;Intel® PROSet/Wireless Event Log EvtEngAudioSrv;c:\windows\system32\adsldpch.exe srv --> c:\windows\system32\adsldpch.exe srv [?]
S2 IDriverTMSDTC;InstallDriver Table Manager IDriverTMSDTC;c:\windows\system32\2052qs.exe srv --> c:\windows\system32\2052qs.exe srv [?]
S2 SwPrvose;MS Software Shadow Copy Provider SwPrvose;c:\windows\system32\adsndsf.exe srv --> c:\windows\system32\adsndsf.exe srv [?]
S2 VSSCFSvcs;Volume Shadow Copy VSSCFSvcs;c:\windows\system32\adptiff.exe srv --> c:\windows\system32\adptiff.exe srv [?]
S2 WudfSvcDhcp;Windows Driver Foundation - User-mode Driver Framework WudfSvcDhcp;c:\windows\system32\adptifc.exe srv --> c:\windows\system32\adptifc.exe srv [?]
S3 mfefeatk01;McAfee Inc.;\Device\mfefeatk01.sys --> \Device\mfefeatk01.sys [?]
S3 QuarticsWP;QuarticsWP_Display_Driver;c:\windows\system32\drivers\quarticswp.sys --> c:\windows\system32\drivers\QuarticsWP.sys [?]
S3 QuarticsWPMirror;QuarticsWPMirror_Display_Driver;c:\windows\system32\drivers\quarticswpmirror.sys --> c:\windows\system32\drivers\QuarticsWPMirror.sys [?]
S3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2008-8-23 653704]

=============== Created Last 30 ================

2010-06-02 11:50:31 600 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-06-02 11:42:05 848 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-06-02 10:36:39 0 ----a-w- c:\documents and settings\john\defogger_reenable
2010-05-19 14:33:46 125 ----a-w- c:\windows\system32\AddPort.ini
2010-05-19 14:31:28 1078 ------w- c:\windows\hp.ico
2010-05-19 14:29:52 0 d-----w- c:\temp\HP JetDirect
2010-05-13 08:21:13 0 d-----w- c:\program files\common files\xing shared
2010-05-13 08:18:11 107864 ----a-w- c:\windows\system32\tsccvid.dll
2010-05-13 08:18:10 0 d-----w- c:\windows\system32\QuickTime
2010-05-13 08:17:15 0 d-----w- c:\program files\common files\TechSmith Shared
2010-05-06 08:01:01 917446 --sha-w- c:\windows\system32\AdobePDFvb.sys
2010-05-04 16:09:29 59 ----a-w- c:\windows\cdplayer.ini

==================== Find3M ====================

2010-06-01 10:16:39 1396736 ---ha-w- C:\SZKGFS.dat
2010-03-22 14:20:38 46116 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 18:16:42 17408 ----a-r- c:\windows\system32\SZIO5.dll
2010-03-05 18:14:16 442368 ----a-r- c:\windows\system32\SZBase5.dll
2010-03-05 18:13:44 540672 ----a-r- c:\windows\system32\SZComp5.dll

============= FINISH: 13:18:46.54 ===============

Attached Files


Edited by bobbathejobba, 02 June 2010 - 03:38 PM.


BC AdBot (Login to Remove)

 


#2 bobbathejobba

bobbathejobba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 05 June 2010 - 02:01 PM

I have run malwarebytes which detected and removed 19 infections.

Log attached.

Still issues - sometimes the blue task bar is grey with a different font, wireless sometimes just never connects, sometimes it says I have no sound card installed...

Very sad....

sad.gif

#3 bobbathejobba

bobbathejobba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 05 June 2010 - 02:03 PM

I have run malwarebytes which detected and removed 19 infections.

Log attached.

Still issues - sometimes the blue task bar is grey with a different font, wireless sometimes just never connects, sometimes it says I have no sound card installed and still not able to open any other webpages when I do get a connection...

Very sad....

sad.gif

I have run malwarebytes which detected and removed 19 infections.

Log attached.

Still issues - sometimes the blue task bar is grey with a different font, wireless sometimes just never connects, sometimes it says I have no sound card installed and still not able to open any other webpages when I do get a connection...

Very sad....

sad.gif

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:04 PM

Posted 06 June 2010 - 06:31 AM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 bobbathejobba

bobbathejobba
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:04 PM

Posted 06 June 2010 - 12:52 PM

Thanks ever so much for your honesty. OK have contacted the financial institutions reset all my internet passwords and cancelled my bank cards.

I will also reformat the whole thing from scratch - should be OK doing this.

Thank you ever so much for your time I really appreciate it.

Please consider this topic closed.

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:04 PM

Posted 06 June 2010 - 12:58 PM

Ok. Thanks for letting us know. Topic is closed now.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users