Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown virus - Pop ups and redirects


  • This topic is locked This topic is locked
27 replies to this topic

#1 Leut

Leut

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 10 July 2010 - 12:04 AM

About 2 weeks ago i noticed the virus. McAfee supposedly detected and removed (possibly Vundo?) by virus re-appeared. Loaded Malware Bytes, ran scan, virus found and supopsedly removed, re-appeared. Malware Bytes found viruses and removed for a while, but then no longer detected virus. Pop ups and redirects continued. Loaded Avast. Scan found virus, but virus re-appeared. Did boot-scan with Avast, found viruses, but kept re-appearing. Unfortunately I did not write down the viruses. Loaded Ad-Aware because a friend says it sometimes catches bugs others do not. Ad-Aware did detect viruses and by this time I was writing them down. Ad-Aware showed fraudtool.win\, trojan.win32.generic!bt, and win32.adware.abetterinternet. Ad-aware supposedly removed virus but it persisted and last time I scanned with Ad-Aware it found nothing.

I tried doing a Windows update but it is disabled. I tried doing a Windows restore but that did not help. I tried booting in safe mode to scan in safe mode but got a blue screen that says SAFEMODE FAILS.......STOP: 0X0000007b OXF7C2F524, OXC0000034, OX00000000, OX00000000 and it says to check for viruses and run CHKDSK /F.

I then found this website. I have backed up data, Enabled E-mail Notification, Enabled Windows Firewall, Disabled CD Emulation with Defogger, downloaded DDS tool and ran. However, I had problems running GMER. The first time my PC rebooted but got hung up during reboot. The next two times it began to scan but then locked up. also, I keep getting Ad-Watch alerts, that it is blocking svchost.exe from connecting to a malicious website.

Please help. Thank you for your time.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris Leuthauser at 22:41:40.78 on Fri 07/09/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.241 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Chris Leuthauser\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE"
mRun: [CTHelper] CTHELPER.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [notepad]
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imaget~1.lnk - c:\program files\sony corporation\image transfer\SonyTray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: mcafee.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} - hxxps://firepass.hunter.com/vdesk/terminal/urxvpn.cab#version=6031,2009,1010,313
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://firepass.hunter.com/vdesk/terminal/f5tunsrv.cab#version=6031,2009,1010,310
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://firepass.hunter.com/vdesk/terminal/InstallerControl.cab#version=6031,2009,1010,0312
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} - hxxps://firepass.hunter.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0223,0314
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221406654468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1239573228829&h=47c32315b3cf527f713326d398b70679/&filename=jinstall-6u13-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://firepass.hunter.com/vdesk/terminal/urxshost.cab#version=6031,2009,1010,308
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://firepass.hunter.com/vdesk/terminal/urxhost.cab#version=6031,2009,1010,304
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chrisl~1\applic~1\mozilla\firefox\profiles\5vteobx0.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\chris leuthauser\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-6 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-6 165456]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 214664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-6 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-6 1352832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-3-10 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-10 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-10 144704]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-7-6 40384]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-10 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-10 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-10 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-10 40552]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\covpndrv.sys [2009-10-9 33920]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-9-18 10752]
S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2006-3-28 9312]

=============== Created Last 30 ================

2010-07-10 03:37:58 0 ----a-w- c:\documents and settings\chris leuthauser\defogger_reenable
2010-07-07 05:00:47 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-07 03:00:27 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-07 03:00:18 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-07 02:56:37 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{65893B95-F47B-4483-B883-86BA181E9B54}
2010-07-07 02:56:04 0 d-----w- c:\program files\Lavasoft
2010-07-07 02:17:27 38848 ----a-w- c:\windows\avastSS.scr
2010-07-07 01:34:43 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-07 01:33:57 0 d-----w- c:\program files\Microsoft
2010-07-07 01:33:54 0 d-----w- c:\program files\VIVA Media
2010-07-07 01:33:40 0 d-----w- c:\program files\common files\PDFView
2010-07-07 01:33:35 0 d-----w- c:\windows\system32\Color
2010-07-07 01:33:35 0 d-----w- c:\program files\NewSoft
2010-07-07 01:33:17 0 d-----w- c:\program files\TaxCut07
2010-07-07 01:33:16 0 d-----w- c:\program files\TaxCut06
2010-07-07 01:33:14 0 d-----w- c:\program files\TaxCut05
2010-07-07 01:33:14 0 d-----w- c:\program files\TaxCut04
2010-07-07 01:33:11 0 d-----w- c:\program files\TaxCut08
2010-07-07 01:07:27 0 d-----w- c:\program files\Mozilla Firefox(2)
2010-07-07 00:50:56 0 d-----w- c:\documents and settings\chris leuthauser\IETldCache
2010-07-05 14:51:04 0 d-----w- c:\program files\Trend Micro
2010-07-04 16:39:53 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-07-04 05:09:20 16384 ---ha-w- C:\SZKGFS.dat
2010-07-04 05:06:37 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-04 05:06:00 0 d-----w- c:\program files\common files\iS3
2010-07-04 05:05:59 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-04 01:31:50 0 ----a-w- c:\program files\extra3.dat
2010-06-27 15:09:05 0 d-----w- c:\docume~1\chrisl~1\applic~1\Malwarebytes
2010-06-27 15:08:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-27 15:08:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-27 15:08:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-27 15:08:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-06-27 04:10:41 120 ----a-w- c:\windows\Kcavas.dat
2010-06-27 04:10:41 0 ----a-w- c:\windows\Vbiyinaqafotoc.bin
2010-06-27 04:09:52 38912 ----a-w- c:\windows\system32\drivers\avc.sys
2010-06-27 04:09:52 38912 ----a-w- c:\windows\system32\dllcache\avc.sys

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2006-03-16 05:31:24 104 --sh--r- c:\windows\system32\0BAF847EA9.sys
2007-05-16 04:43:27 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-08-26 05:27:09 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082620080827\index.dat

============= FINISH: 22:43:33.04 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 12 July 2010 - 06:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either McAfee or Avast. I suggest you remove Avast in this case.

Uninstall Ad-Aware, we will replace this with a better antispyware later.

Now try running Gmer but with only the SECTIONS option checked.

Posted Image
m0le is a proud member of UNITE

#3 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 13 July 2010 - 08:29 AM

Thank you m0le!

I just got to work and this problem is with my home PC. I will perform the steps requested as soon as I get home tonight. You recommend only running one anti-virus program at a time and recommend that I remove Ad-Aware as well as Avast or McAfee. During my frustrating attempt to remove this virus, I also loaded Malware Bytes but I do not believe the free version has real-time scanning. I have had a paid subscription for McAfee so I will remove Avast and uninstall Ad-Aware. Should I also remove Malware Bytes or leave it alone?

#4 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 13 July 2010 - 12:35 PM

Just a clarification: When you indicate to re-run Gmer but this time only check "Sections", I am supposed to also leave the "C:" box and the "ADS" box checked correct? Or uncheck both of those as well?

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 13 July 2010 - 05:23 PM

Leave MBAM - you are right it has no realtime protection in its free version and we may be using it later.

Just to clarify, leave the other boxes you mention but the list of scanning areas should only have Sections checked. smile.gif
Posted Image
m0le is a proud member of UNITE

#6 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 13 July 2010 - 06:57 PM

Uninstalled Avast (Avast said it created system restore point)

Removed Ad-Aware

Rebooted (Avast and Ad-Aware both said it was necessary to complete uninstall)

Computer hung up on reboot, after BIOS screen, before XP screen. Blank screen with cursor in upper left hand corner. Powered down, back up.

Ran Gmer with only Sections checked (successfully this time).

Computer very sluggish after saving ark.txt to desktop. Long hourglass intervals, Firefox unresponsive. CTRL-ATL-DEL did not work.

Powered down, back up.

Attached ark.txt to this post.

Attached Files

  • Attached File  ark.txt   71.94KB   3 downloads


#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 13 July 2010 - 07:15 PM

The PC seems unstable so we will take it as easy as we can.

Combofix is a powerful tool and may seem to crash during its run but stick with it. Let me know if the PC gives up the ghost during this scan.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#8 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 13 July 2010 - 08:13 PM

Combofix attempt was not successful.

Everything seemed to be fine until the actual scan started at which point I received the following blue screen:

BAD_POOL_CALLER

Blah...blah...blah

STOP:0X000000C2 (0x00000007, 0x00000CD4, 0x15FFF44DD, 0x80535819)

I did this twice with the same results.

It was also noted that Firefox kept closing during the beginning of the scan. Not sure if this is normal or not.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 14 July 2010 - 04:04 PM

Okay, let's try another way in
  • Download OTLPE Network from either location and save it to your desktop:

    http://oldtimer.geekstogo.com/OTLPENet.exe
    http://ottools.noahdfear.net/OTLPENet.exe

  • Double click the OTLPENet icon on your desktop
  • "Do you want to burn the CD?" choose Yes
  • ImgBurn will automatically extract and load the OTLPENet Iso to be burned to CD
  • Place a blank CD in your CD-Rom
  • Click to start the burn process
  • You will see a dialog "Operation successfully completed"
  • Boot the non-working computer using the boot CD you just created
  • In order to do so, the computer must be set to boot from the CD first

    Note : For information click here

  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start
  • Copy and Paste the following code into the textbox. Do not include the word "Code"

    Please note: Double click the Firefox Icon on the desktop to connect to this thread if you have a Wired connection otherwise you can use a flash drive and copy this script into a txt file from a clean computer to transfer to this computer.

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    userinit.exe
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  • Push
  • When finished, the file will be saved in drive C:\OTL.txt
  • Please post the contents of the C:\OTL.txt file in your next reply.
  • Copy this file to your USB drive if you do not have an internet connection.

Posted Image
m0le is a proud member of UNITE

#10 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 14 July 2010 - 07:57 PM

Everything is going good so far. I have made it to the REATOGO-X-PE desktop. However, I am confused as I double-click the OTLPE icon, but I am not prompted to load remote user profiles for scanning. Instead, I see a DOS-looking screen pop up very briefly (can not see what it says), and then I get a "Browse For Folder" window with a Choose Windows Directory option with My Computer selected.

I went ahead and hit OK and got a message that said RunScanner Error, No Windows Installations found. Which folder am I supposed to choose?



#11 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 14 July 2010 - 08:07 PM

Additional Info: If i choose any other folder I get a message that target is not Windows 2000 or later. I looked in the properties of OTLPE and i noticed a Compatibility tab. On that tab is check box called...Run this program in compatibility mode for...

The choices are Windows 95, Windows NT, and Windows 2000. Just curious if I need to check this box and if so what to select.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 15 July 2010 - 06:56 PM

Choose Windows smile.gif
Posted Image
m0le is a proud member of UNITE

#13 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 15 July 2010 - 07:12 PM

Windows is not an option. My options are Windows 95, Windows 98/ME, Windows NT 4.0, Windows 2000. I tried it with all 4 options and the results were all the same. If I choose My Computer it responds with No Windows Installations Found. If I choose any of the drives, it responds Target is not Windows 2000 or later.

I did burn the boot CD from my home (infected) PC because it has a burner while my work PC does not have a burner. Anything else I can try? Or burn another CD from a clean PC?

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:21 PM

Posted 15 July 2010 - 07:20 PM

Oh yes, you must burn the disk from an uninfected PC. smile.gif
Posted Image
m0le is a proud member of UNITE

#15 Leut

Leut
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 16 July 2010 - 06:56 PM

Discarded original CD burned on infected PC. Burned new CD at work on uninfected PC. Successfully booted uninfected PC at work with boot CD and was able to get OTLPE icon to prompt to load remote user profile when scanning.

Brought boot CD home, booted infected PC with CD, got same results as described in prior post. If i choose any other folder I get a message that target is not Windows 2000 or later.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users