Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, Antivirus program spamming and Catalyst Control Center too!


  • This topic is locked This topic is locked
12 replies to this topic

#1 Arclight

Arclight

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 12 September 2010 - 11:04 AM

For some time now, on and off I have been receiving pop ups from some virus that is masking itself as an antivirus software. It pops up every 15 seconds or so until I finally get too frustrated and shut my computer down. It doesn't happen every time that I start up, but often enough to become annoying. In addition I have been receiving strange messages that pop up on my screen when I right click on something it reads as follows:

ATI Catalyst Control Center (I know this is tied into my video card in some way, it's an ATI Radeon Xpress 1100 that's built into the Laptop)
1: The Install Script engine on this machine is older than the version required to run this setup. If available, please install the latest version of ISScript.msi, or contact your support personnel for further assistance.

The thing is that it pops up about once a minute and is very annoy to have to click these two objects closed to continue what I am doing. Any help would be very much appreciated, I've heard from alot of people online that you guys are the ones to go to with problems like this. Anyway here is the DDS.txt file:



DDS (Ver_10-03-17.01) - FAT32x86
Run by Gary Keith at 18:56:41.46 on Sat 09/11/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.457 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Gary Keith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://global.acer.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [asam] c:\documents and settings\gary keith\local settings\application data\asam.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [aodqrpho] c:\documents and settings\gary keith\local settings\application data\ndagnotkd\vlbqprpshdw.exe
uRun: [utivkwsj] c:\documents and settings\gary keith\local settings\application data\jjhmgdkmy\ijjupndshdw.exe
uRun: [sypimlvr] c:\documents and settings\gary keith\local settings\application data\ngdacvjhu\swvuuxeshdw.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp]
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [aodqrpho] c:\documents and settings\gary keith\local settings\application data\ndagnotkd\vlbqprpshdw.exe
mRun: [utivkwsj] c:\documents and settings\gary keith\local settings\application data\jjhmgdkmy\ijjupndshdw.exe
mRun: [sypimlvr] c:\documents and settings\gary keith\local settings\application data\ngdacvjhu\swvuuxeshdw.exe
mRunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
dRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\garyke~1\applic~1\mozilla\firefox\profiles\bbdetyqy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-30 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-30 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-30 40552]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 136176]
S3 jatmlano;jatmlano;\??\c:\docume~1\garyke~1\locals~1\temp\jatmlano.sys --> c:\docume~1\garyke~1\locals~1\temp\jatmlano.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-30 34248]

=============== Created Last 30 ================

2010-09-12 00:19:28 10 ----a-w- c:\windows\WININIT.INI
2010-09-12 00:16:48 0 d-----w- c:\windows\system32\appmgmt
2010-09-12 00:16:47 0 d-----w- c:\windows\SxsCaPendDel
2010-09-08 02:56:18 0 d-sh--w- C:\FOUND.004
2010-08-16 15:27:11 8868 ----a-w- c:\documents and settings\gary keith\.recently-used.xbel

==================== Find3M ====================

2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-16 00:11:36 108668 ----a-w- c:\windows\hpoins08.dat
2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:36 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:04 916480 ------w- c:\windows\system32\wininet.dll
2010-06-24 12:22:04 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2010-06-24 12:22:04 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:02 5951488 ------w- c:\windows\system32\dllcache\mshtml.dll
2010-06-24 12:22:02 1210368 ------w- c:\windows\system32\dllcache\urlmon.dll
2010-06-24 12:22:00 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:22:00 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2010-06-21 15:27:12 354304 ------w- c:\windows\system32\dllcache\srv.sys
2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\dllcache\msxml3.dll
2009-06-08 20:43:24 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 18:57:14.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:30 AM

Posted 17 September 2010 - 01:17 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Arclight

Arclight
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 20 September 2010 - 06:47 PM

Sorry it took so long for me to get this sent in, I tried 4 times now to get a GMER log but for some reason it won't complete and freezes the computer. Any help with this would be greatly appreciated, but I hope that some headway can be made in the meantime while I work to get a usable GMER log.


DDS (Ver_10-03-17.01) - FAT32x86
Run at 17:13:45.57 on Sun 09/19/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.376 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Gary Keith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://global.acer.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://global.acer.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [asam] c:\documents and settings\gary keith\local settings\application data\asam.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [aodqrpho] c:\documents and settings\gary keith\local settings\application data\ndagnotkd\vlbqprpshdw.exe
uRun: [utivkwsj] c:\documents and settings\gary keith\local settings\application data\jjhmgdkmy\ijjupndshdw.exe
uRun: [sypimlvr] c:\documents and settings\gary keith\local settings\application data\ngdacvjhu\swvuuxeshdw.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp]
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [<NO NAME>]
mRun: [Acer ePresentation HPD] c:\acer\empowering technology\epresentation\ePresentation.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Boot] c:\acer\empowering technology\epower\Boot.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [utivkwsj] c:\documents and settings\gary keith\local settings\application data\jjhmgdkmy\ijjupndshdw.exe
mRun: [sypimlvr] c:\documents and settings\gary keith\local settings\application data\ngdacvjhu\swvuuxeshdw.exe
dRun: [brastk] c:\windows\system32\brastk.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acerem~1.lnk - c:\acer\empowering technology\Acer.Empowering.Framework.Launcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 nwprovau

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\garyke~1\applic~1\mozilla\firefox\profiles\bbdetyqy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-30 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-30 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-30 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-30 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-30 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-30 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-30 40552]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-11 136176]
S3 jatmlano;jatmlano;\??\c:\docume~1\garyke~1\locals~1\temp\jatmlano.sys --> c:\docume~1\garyke~1\locals~1\temp\jatmlano.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-30 34248]

=============== Created Last 30 ================

2010-09-12 00:19:28 10 ----a-w- c:\windows\WININIT.INI
2010-09-12 00:16:48 0 d-----w- c:\windows\system32\appmgmt
2010-09-12 00:16:47 0 d-----w- c:\windows\SxsCaPendDel
2010-09-08 02:56:18 0 d-sh--w- C:\FOUND.004

==================== Find3M ====================

2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
2010-07-16 00:11:36 108668 ----a-w- c:\windows\hpoins08.dat
2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 12:31:36 149504 ------w- c:\windows\system32\dllcache\schannel.dll
2010-06-25 00:51:58 11077120 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-06-24 12:22:04 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-06-24 12:22:00 599040 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-24 12:22:00 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-24 12:21:58 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-24 12:21:58 1986560 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-06-24 12:21:56 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
2009-06-08 20:43:24 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

============= FINISH: 17:14:44.00 ===============

Attached Files


Edited by Arclight, 21 September 2010 - 04:05 PM.


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 23 September 2010 - 07:39 AM

Hi Arclight,



Welcome to BleepingComputer Virus, Trojan, Spyware, and Malware Removal Logs Forum. welcome.gif
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

Please download Malwarebytes' Anti-Malware from Here or Here
  1. Double Click mbam-setup.exe to install the application.
  2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  3. If an update is found, it will download and install the latest version.
  4. Once the program has loaded, select "Perform Quick Scan", then click Scan.
  5. The scan may take some time to finish,so please be patient.
  6. When the scan is complete, click OK, then Show Results to view the results.
  7. Make sure that everything is checked, and click Remove Selected.
  8. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  9. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  10. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  11. You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step2
  1. Please download OTL and save it to your desktop.
  2. Double click on the icon on your desktop.
  3. Click the "Scan All Users" checkbox.
  4. Click the "Quick Scan" button.
  5. Two reports will open, OTListIt.txt <-- Will be opened and Extra.txt <-- Will be minimized
  6. Copy and paste both logs back here in your next reply.
After that, you may install the latest version of ISScript.msi as instructed from Here



In your next reply, please post back:

1.MBAM log
2.OTListIt.txt and Extra.txt

Please detail the problems you're still experiencing now.

Edited by sundavis, 23 September 2010 - 07:46 AM.


#5 Arclight

Arclight
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 23 September 2010 - 10:57 AM

Alright I ran MBAM and OTL, here are the logs for those:

As for symptoms I haven't seen any since I ran MBAM but only time will truly tell. Appreciate the help so far!

Attached Files



#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 23 September 2010 - 12:05 PM

Hi Arclight,



Step1
  1. Please start OTL on your desktop.
  2. Under the Custom Scans/Fixes box at the bottom, copy/paste the following contents of code box.

    CODE
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - SITEguard - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O4 - HKLM..\Run: [LaunchApp]  File not found
    O4 - HKLM..\Run: [sypimlvr] C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ngdacvjhu\swvuuxeshdw.exe File not found
    O4 - HKLM..\Run: [utivkwsj] C:\Documents and Settings\Gary Keith\Local Settings\Application Data\jjhmgdkmy\ijjupndshdw.exe File not found
    O4 - HKU\.DEFAULT..\Run: [brastk] C:\WINDOWS\System32\brastk.exe File not found
    O4 - HKU\S-1-5-18..\Run: [brastk] C:\WINDOWS\System32\brastk.exe File not found
    O4 - HKU\S-1-5-21-3409914777-2419526302-3600208393-1005..\Run: [aodqrpho] C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ndagnotkd\vlbqprpshdw.exe File not found
    O4 - HKU\S-1-5-21-3409914777-2419526302-3600208393-1005..\Run: [sypimlvr] C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ngdacvjhu\swvuuxeshdw.exe File not found
    O4 - HKU\S-1-5-21-3409914777-2419526302-3600208393-1005..\Run: [utivkwsj] C:\Documents and Settings\Gary Keith\Local Settings\Application Data\jjhmgdkmy\ijjupndshdw.exe File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    :Files
    C:\WINDOWS\tasks\At*.job
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\tsbjxwdra
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ngdacvjhu
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\jjhmgdkmy
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ndagnotkd
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\tsbjxwdra
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\vsylbsaib
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\ojnwdhxnt
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\opdeaacdi
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\axyffryqw
    C:\Documents and Settings\All Users\Application Data\woti.sys
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\zatim._sy
    C:\WINDOWS\byxuxi.dll
    C:\Documents and Settings\All Users\Application Data\mywugotogy.bin
    C:\Documents and Settings\Gary Keith\Application Data\hozobyzozu.pif
    C:\Documents and Settings\Gary Keith\Application Data\uvaxu.dat
    C:\Documents and Settings\Gary Keith\Application Data\xebawabox.dat
    C:\Documents and Settings\All Users\Application Data\akykofilod.dat
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\usalalak.dll
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\umikipirud.dl
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    C:\Documents and Settings\Gary Keith\Local Settings\Application Data\fusioncache.dat

    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [resethosts]
    [start explorer]
    [Reboot]
  3. Click Run Fix button on the top.
  4. Click OK and let it run unhindered.
  5. OTL will ask to reboot the machine. Please OK the prompt.
  6. A report will open. Copy and Paste that report in your next reply.


Step2
  1. If you already have Combofix, please delete that copy and download it again as it's being updated regularly.
  2. Please visit this webpage for download links, and instructions for running the tool:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  3. Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  4. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.
  5. Click Yes to allow Combofix to continue scanning for malware.
  6. When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.
  7. Do not mouse click on Combofix while it is running. That may cause it to stall.


Step3

Go to Start>Run>type cmd, A window will come up. In the window, Type chkdsk c: /F

System will have message saying:Chkdsk cannot run because the volume is in use by another process.Would you like to schedule this volume to be checked the next time the system restarts?(y/n)

Type Y. Reboot the system. It will make repairs when it reboots. After that, Please repeat with the following command-->chkdsk c: /R



In your next reply, please post back:

1.OTL delete log
2.ComboFix log

Let me know if you have any remaining issues on your pc.

#7 Arclight

Arclight
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 23 September 2010 - 04:03 PM

Alright I ran Combofix and OTL as well as using the Checkdisk through the command console. Here are the logs, I don't see anything outright that is still affecting the computer in question.

Edit: I take that back, after putting the IS Script.msi in I'm still getting problems whenever I right click on the desktop. It pops up the same error as before. I just ran the script from the desktop, was I supposed to do it from the Catalyst Control Center folder perhaps?

Attached Files


Edited by Arclight, 23 September 2010 - 04:09 PM.


#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 23 September 2010 - 04:44 PM

Hi Arclight,




QUOTE
I take that back, after putting the IS Script.msi in I'm still getting problems

You should uninstall it completely via Add/Remove Programs, reboot your pc, and reinstall the update version afterwards. For more info: Here and Here .

QUOTE
I don't see anything outright that is still affecting the computer in question

That sounds good. thumbup2.gif We need to scan the remnants with Kas Online Scanner. It will take some time to run the full course. Please be patient and do the following:

Please uninstall outdated java via Add/Remove Programs (Java™ 6 Update 2). Go into the Control Panel (Classic View) and double-click the Java Icon. (looks like a coffee cup)

On the Update tab, click on Update Now buttons. When done, press Apply and OK the button. Then clear your java cache as instructed in this thread .



Step1
  1. Close any open browsers
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  3. Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
CODE
Driver::
jatmlano

Firefox::
FF - ProfilePath - c:\documents and settings\Gary Keith\Application Data\Mozilla\Firefox\Profiles\bbdetyqy.default\
FF - prefs.js: network.proxy.type - 4

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop



Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Step2

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step3

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  1. Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  2. Click Accept button on the "Requirements and limitations".
  3. When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  4. It will be Downloading and installing the program and Updating the database.
  5. When Updating the database have finished, click on Settings.
  6. Make sure all boxes are checked. then click on the Save button.
  7. Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  8. Once the scan is completed, Click on View Scan Report.
  9. You may see a list of infected items over there. Click on Save Report As.
  10. Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  11. Please post the contents in your next reply.
  12. You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



In your next reply, please post back:

1.ComboFix log
2.Kas Onine Scanner Report


Let me know if you still have any remaining concerns on your pc.

Edited by sundavis, 23 September 2010 - 04:58 PM.


#9 Arclight

Arclight
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 30 September 2010 - 04:42 PM

Alright, looks like the script is fixed now, went ahead with your instructions and the Combifix log is attached. As for the online scanner, it won't update which is stopping me to be able to complete the scan, let it sit for 3 hours waiting for it to update and it never moved. Anyhow hopefully there is something I can do instead of this scanner, or some way to fix the scanner. Thanks again for the help!

Attached Files

  • Attached File  log.txt   18.96KB   1 downloads


#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 30 September 2010 - 06:38 PM

Hi Arclight,


Ok, try the Eset Online Scanner instead.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
  7. Wait for the scan to finish
  8. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  9. Copy and paste that log as a reply to this topic.


#11 Arclight

Arclight
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 02 October 2010 - 05:44 PM

Here is the scan from the ESET Online Scanner:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=fb69950b79c0dc49863b08643a1b19e8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-10-02 10:42:27
# local_time=2010-10-02 03:42:27 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776533 100 96 19526206 59718578 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=57094
# found=4
# cleaned=4
# scan_time=3137
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR9.tmp Win32/Qhost trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP145\A0102539.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP145\A0102540.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\system volume information\_restore{099D30DC-C26B-4E90-9285-C34D0601D32B}\RP145\A0102541.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


#12 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 02 October 2010 - 05:48 PM

Hi Arclight,




Looks good. thumbup2.gif Your log appears clean now. If you have no remaning issues on your pc, let do some tidy up and you should be good to go.


Step1

Click START then RUN
Now copy/paste ComboFix /Uninstall in the runbox and click OK.
Note the space between the X and the /Uninstall, it needs to be there.



This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Step2

Start OTL from your desktop.
  1. Double click OTL and let it run
  2. Then Click the Cleanup button.
  3. You will get a prompt saying "Being Cleanup Process". Please select Yes.
  4. Restart your computer when prompted.


Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  2. Update all programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

  3. Backup your valid registry -ERUNT (Emergency Recovery Utility NT) allows you to store a complete backup of your registry and restore if needed. Due to malware affects, a corrupt registry can prevent a system from booting. You're well advised to backup your valid registry while the system is clean now. For more info: Here and Here .


Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#13 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:30 AM

Posted 03 October 2010 - 03:06 PM

Since this issue appears resolved ... this Topic is closed.

Glad to have helped.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users