Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Rootkit Virus on WinXP SP3 is Serious


  • This topic is locked This topic is locked
79 replies to this topic

#1 Grateful Gal

Grateful Gal

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 09 December 2010 - 02:32 PM

Hi Gang -- I've been reading/researching/troubleshooting on my own for weeks because I know you're so busy, but must now trouble you with the mystery that plagues me.

Per my profile, I'm talking about my WinXP home SP3 (Dell Vostro 200), Intel Core 2 Duo, 2 GB RAM, using MS Firewall & MS Security Essentials (replaced McAfee)currently working in "debugger mode" (whatever that is) after restarts failed last night & today. I've been computing since DOS prompts in '86 and have a highly tweaked system, but you'll see the old warning is true: I know just enough to be dangerous. I beg for mercy, I'm sorry because I'm sure I've brought this on myself, but everything was perfect... until it wasn't.

I'm connected by wireless to my cable router in the next room. This is my small biz machine used for Everything, but I understand to stop trying fixes once I ask you for help. HELP!

Please find:
1) Introduction to the problem (actions/symptoms)
2) Problems met while working through your checklist
3) Pasted dds.txt log
4) Attached atttach.txt

NOTE: the GMER scan would not complete -- details below.


1) INTRO: actions/symptoms
I read & (foolishly) believed I didn't need all this stuff called .NET and had RevoUninstaller pull it off. Then in April I had a trojan, found & deleted it -- but only after manually downloading the definitions to SuperAntiSpyware -- I could not connect to any A/V update sites... Then minor troubles and smarter advice convinced me to reinstall it using XP-TC/IP Repair, reinstalled all service packs/patches, etc. Auto-updates for security, clean virus scans, fine.
But soon, my TweetDeck updated and refused to connect. Then my beloved Firefox updated and refused to connect. Chrome wouldn't connect. Safari was hit or miss, so I had to use the dreaded IE8 to research what was wrong.
Then my PCMatic wouldn't connect; again, my Malwarebytes and AVZ Toolkit wouldn't update definitions; NONE of my A/V programs would connect to update, new A/V programs wouldn't download! Even though I was online for non-A/V stuff just fine. Even pages on MS's site (like your like "how to backup easy") came up blank. It sounds nuts, but it seemed like topic-specific blocking was going on.

I kept getting a "svchost" error, and a "memory can't be written" error to click OK to every start-up (which is slow.)

Connections and downloads of any program updates became unreliable; spinning noises on my HD revved even when Task Manager said nothing was happening; my Process Explorer program set to replace Task Manager stopped working; Skype's update won't connect; and last night I downloaded Avast free, and it wouldn't update definitions (I uninstalled it for now.) I'm screwed.


2) PROBLEMS WORKING YOUR CHECKLIST

All was doable until Item #8 -- the GMER scan froze on "C:|RECYCLER" -- after 10 minutes I tried to stop/close, but the screen was frozen, only a hard-stop shut down.
So I ran CC Cleaner (which I do every month or more), then reran the Defogger, and the DDS Tool to get current logs, and tried another GMER Scan and studied what happened:
It stalled on a file I didn't recognize (Janet-hijacked.jpg), and an old file I did (C:\RSM Letterhead myfont1.bmp) but there were two of them and both were 32 MB (from '05, don't recall them being so big) and when I looked back up there was just the MS blue screen with a big warning in white, which I jotted bits of:
"serious error -- kxriipod.sys -- page_fault_in_nonpage_area -- tech info: STOP: 0x00000050 --"

It wouldn't shut down; after a hard-stop and restart, a message said stuff including:
serious error -- sysdata.xml -- mini120810-01.dmp -- Generic Host Process for Win32 Services error --

In Safe Mode I found and deleted the "C:\Janet-hijacked.jpg" (it was a screenshot of a google search with one odd word bolded: "ammimune" or something like that -- it was not my search or image) and the two .bmp files.

I looked for kxriipod.sys but not only was it not on my PC, it wasn't to be found anywhere online! ACK! That seemed like a systems controller that renamed itself for each infection. Anyway, what do I know?

After disconnecting from the net, I ran the GMER scan again, and mid-process I got a pop-up saying that a file I recognized (from a few months ago) was "corrupt" and could not be accessed and to run ChkDsk Utility -- then it froze again on C:\RECYCLER -- nothing on the screen was accessible (no mouse, keys, Cnt+Alt Del -- NOTHING.) From memory, the only things ever listed, and none were in red, were 4 drivers with McAfee in the name, a thread, and 2 or 3 other things that were not files names I recognized.

BUT after this hard-stop and restart (this is all last night) the PC never came out of black screen to boot-up. I heard racing HD and lots of activity, but the screen never came on.

I hard-stopped and went to bed. I had nightmares. This morning, Safe Mode froze on a list of drivers; retrying two more times got the same. Trying "Debugging Mode" (?) got me a desktop change (that "active desktop" warning) but otherwise I got back her, and will get to what you asked for -- without the GMER scan (sorry!):


3) PASTED DDS.TXT LOG


DDS (Ver_10-12-05.01) - NTFSx86
Run by Blair at 22:10:20.17 on Wed 12/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1384 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Blair\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar =
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 7\SnagItIEAddin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000315.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302020009.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\WinPatrol.exe -expressboot
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [F5D8055v2] c:\program files\belkin\f5d8055\v2\Belkinwcui.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [<NO NAME>]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 51 (0x33)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C61F6B9D-C575-4205-82D9-BBE611B28348}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon -
Notify: GoToMyPC -
Notify: igfxcui -
Notify: PRISMAPI.DLL -
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 59283962;59283962 Boot Guard Driver;c:\windows\system32\drivers\59283962.sys [2010-4-15 37392]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 59283961;59283961;c:\windows\system32\drivers\59283961.sys [2010-4-15 128016]
R1 64370221;64370221;c:\windows\system32\drivers\64370221.sys [2010-4-15 128016]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-28 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 setup_9.0.0.722_16.04.2010_05-11drv;setup_9.0.0.722_16.04.2010_05-11drv;c:\windows\system32\drivers\5928396.sys [2010-4-15 315408]
R2 ToolTipFixer;ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2008-10-14 61952]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 rt2870;Belkin N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-18 713344]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswSP;aswSP; [x]
S0 64370222;64370222 Boot Guard Driver;c:\windows\system32\drivers\64370222.sys --> c:\windows\system32\drivers\64370222.sys [?]
S3 ExpressInvoiceService;Express Invoice;c:\program files\nch software\expressinvoice\expressinvoice.exe [2008-10-29 864260]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-28 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-28 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-28 40552]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2009-11-17 32736]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-11-17 220128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S4 0065711279864646mcinstcleanup;McAfee Application Installer Cleanup (0065711279864646);c:\windows\temp\006571~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\006571~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S4 NVDPservice;Neevia docuPrinter helper service;c:\program files\neevia.com\docuprinterpro7-30-08\neeviaDP6.lib [2008-7-30 2372448]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-10-19 90864]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2008-4-28 61526]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-9-23 98304]

=============== Created Last 30 ================

2010-12-09 01:28:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-08 16:13:13 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{e39e4173-3625-4c32-9844-4ec52cbc775f}\mpengine.dll
2010-12-07 23:00:16 -------- d-sh--w- c:\documents and settings\blair\IECompatCache
2010-11-24 03:41:33 -------- d-----w- c:\program files\Typewriter Q10
2010-11-20 05:08:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2010-11-20 04:58:06 -------- d-----w- c:\docume~1\blair\locals~1\applic~1\Western_Digital
2010-11-20 04:57:12 -------- d-----w- c:\docume~1\blair\applic~1\Western Digital
2010-11-20 04:57:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-11-20 04:56:35 -------- d-----w- c:\program files\Western Digital
2010-11-17 06:50:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-11-17 05:25:30 112056 ----a-w- c:\windows\system32\acaptuser32.dll

==================== Find3M ====================

2010-11-17 06:49:20 256 ----a-w- c:\windows\system32\pool.bin
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 21:05:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 21:05:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-11 19:57:25 72748 ----a-w- c:\windows\unins004.exe

============= FINISH: 22:11:27.62 ===============


Please see the attached "attach.txt" -- I hope it's illuminating. Attached File  Attach.txt   18.54KB   2 downloads
I'll run out to borrow a laptop and can get emails on my BB for any other info you might need.

I hope it's your easiest mystery solved, and I know you're volunteering your time and brain power -- you don't have a tipjar but I'll find a way to make it up to you guys... maybe you have a subscription I could buy to show my support. Cuz man, I sure need yours ~!

Thanks!

PS: I feel so exposed, having all this log out in the open and all... yikes!

BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 PM

Posted 16 December 2010 - 08:59 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 16 December 2010 - 10:46 AM

Thanks for the auto-reply, at least you noticed me after a week, I was worried I'd done something wrong since I was the only grey folder left on the boards... now I know that all it takes is an stock reply restating the instructions to count as a reply.

Although you didn't read my post to see that I HAD posted my DDS logs,
I'll confirm that the issue is very much NOT resolved,
NOTHING has been allowed to change while I await help here with a crippled machine,
I DID include a clear description of everything,
including that important point that whatever is wrong with my system is also preventing a GMER scan from running...

BUT -- your boilerplate reply wants me to do it all over again?
Fine, if it makes it look like I've been attented to by a forum monitor...
Sure.
Be right back.
Thanks.
+++++++++++++++++++++++++++++++++++++++ALL OVER AGAIN BY REQUEST+++++++++++++++++++++++++++++++++

HI GANG -- further clarification is inside *astrisks*

Per my profile, I'm talking about my WinXP home SP3 (Dell Vostro 200),
Intel Core 2 Duo, 2 GB RAM,
using MS Firewall & MS Security Essentials (replaced McAfee about a year ago.)

I'm connected by wireless to my cable router in the next room. This is my small biz machine used for Everything, *but I stopped trying fixes once I ask you for help last Thursday.* HELP!

Please find:
1) Introduction to the problem (actions/symptoms)
2) Problems met while working through your checklist
3) *FRESH REPEAT* Scan & Paste of dds.txt log
4) *FRESH REPEAT* Attachment of atttach.txt (as a zip file)

NOTE: the GMER scan would not complete -- details below.

*Only the MS Tuesday Security Patch/Update has run since my post 7 days ago.*


1) INTRO: actions/symptoms

SEVERAL MONTHS AGO -- I read & (foolishly) believed I didn't need all this stuff called .NET and had RevoUninstaller pull it off. Then in April I had a trojan, found & deleted it -- but only after manually downloading the definitions to SuperAntiSpyware -- I could not connect to any A/V update sites... Then minor troubles and smarter advice convinced me to reinstall it using XP-TC/IP Repair, reinstalled all service packs/patches, etc. Auto-updates for security, clean virus scans, fine.
But soon, my TweetDeck updated and refused to connect. Then my beloved Firefox updated and refused to connect. Chrome wouldn't connect. Safari was hit or miss, so I had to use the dreaded IE8 to research what was wrong. *The update to Tweetdeck wouldn't run, nor Hootsuite, nor any update to any program that tried to auto update -- it renders the program unusable.*

Then my PCMatic wouldn't connect; again, my Malwarebytes and AVZ Toolkit wouldn't update definitions; NONE of my A/V programs would connect to update, new A/V programs wouldn't download! Even though I was online for non-A/V stuff just fine. Even pages on MS's site (like your like "how to backup easy") came up blank. It sounds nuts, but it seemed like topic-specific blocking was going on.

I kept getting a "svchost" error, and a "memory can't be written" error to click OK to every start-up (which *takes over 60 seconds of black screen to start-up.*)

*
THAT ERROR READS:
svchost.exe Application Error
The instruction at "0x7c91b21a" referranced memory at "0x00000010". That memory could not me "written."
*

Connections and downloads of any program updates became unreliable; spinning noises on my HD revved even when Task Manager said nothing was happening; my Process Explorer program set to replace Task Manager stopped working; Skype's update won't connect; *on 12/8* I downloaded Avast free, and it wouldn't update definitions (I uninstalled it.) I'm screwed.


2) PROBLEMS WORKING YOUR CHECKLIST

All was doable *on 12/8* until Item #8 -- the GMER scan froze on "C:|RECYCLER" -- after 10 minutes I tried to stop/close, but the screen was frozen, only a hard-stop shut down.
So I ran CC Cleaner (which I do every month or more),
then re-ran the Defogger,
and ran the DDS Tool to get current logs,
and tried another GMER Scan and studied what happened:

It stalled on a file I didn't recognize (Janet-hijacked.jpg),
and an old file I did (C:\RSM Letterhead myfont1.bmp)
but there were two of them and both were 32 MB (from '05, don't recall them being so big) and when I looked back up there was just the MS blue screen with a big warning in white, which I jotted bits of:

"serious error -- kxriipod.sys -- page_fault_in_nonpage_area -- tech info: STOP: 0x00000050 --"

It wouldn't shut down; after a hard-stop and restart, a message said stuff including:
serious error -- sysdata.xml -- mini120810-01.dmp -- Generic Host Process for Win32 Services error --

In Safe Mode I found and deleted the "C:\Janet-hijacked.jpg" (it was a screenshot of a google search with one odd word bolded: "ammimune" or something like that -- it was not my search or image) and the two .bmp files.

I looked for kxriipod.sys but not only was it not on my PC, it wasn't to be found anywhere online! ACK! That seemed like a systems controller that renamed itself for each infection. Anyway, what do I know?

After disconnecting from the net, I ran the GMER scan again,
and mid-process I got a pop-up saying that a file I recognized (from a few months ago) was "corrupt" and could not be accessed and to run ChkDsk Utility -- then it froze again on C:\RECYCLER -- nothing on the screen was accessible (no mouse, keys, Cnt+Alt Del -- NOTHING.)
From memory, the only things ever listed, and none were in red, were 4 drivers with McAfee in the name, a thread, and 2 or 3 other things that were not files names I recognized.

BUT after this hard-stop and restart (this is all last night) the PC never came out of black screen to boot-up. I heard racing HD and lots of activity, but the screen never came on.

I hard-stopped and went to bed. I had nightmares. This morning *(12/9)*, Safe Mode froze on a list of drivers; retrying two more times got the same. Trying "Debugging Mode" (?) got me a desktop change (that "active desktop" warning) but otherwise I got back here, and will get to what you asked for -- without the GMER scan (sorry!):


3) FRESH REPEAT SCAN & PASTE OF DDS.TXT LOG


DDS (Ver_10-12-05.01) - NTFSx86
Run by Blair at 7:50:35.45 on Thu 12/16/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1410 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Belkin\F5D8055\v2\Belkinwcui.exe
C:\Documents and Settings\Blair\Desktop\bleeping computer stuff\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
uSearch Bar =
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 7\SnagItIEAddin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} -
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000315.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302020009.dll
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\WinPatrol.exe -expressboot
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [F5D8055v2] c:\program files\belkin\f5d8055\v2\Belkinwcui.exe
mRun: [<NO NAME>]
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 51 (0x33)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {C61F6B9D-C575-4205-82D9-BBE611B28348}
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon -
Notify: GoToMyPC -
Notify: igfxcui -
Notify: PRISMAPI.DLL -
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli
IFEO: taskmgr.exe - "c:\program files\processexplorer\PROCEXP.EXE"

============= SERVICES / DRIVERS ===============

R0 59283962;59283962 Boot Guard Driver;c:\windows\system32\drivers\59283962.sys [2010-4-15 37392]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2008-5-20 15328]
R1 59283961;59283961;c:\windows\system32\drivers\59283961.sys [2010-4-15 128016]
R1 64370221;64370221;c:\windows\system32\drivers\64370221.sys [2010-4-15 128016]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-28 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 setup_9.0.0.722_16.04.2010_05-11drv;setup_9.0.0.722_16.04.2010_05-11drv;c:\windows\system32\drivers\5928396.sys [2010-4-15 315408]
R2 ToolTipFixer;ToolTipFixer;c:\program files\neosmart technologies\tooltipfixer\ToolTipFixer.exe [2008-10-14 61952]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2009-3-28 31896]
R3 rt2870;Belkin N+ Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-18 713344]
S0 64370222;64370222 Boot Guard Driver;c:\windows\system32\drivers\64370222.sys --> c:\windows\system32\drivers\64370222.sys [?]
S3 ExpressInvoiceService;Express Invoice;c:\program files\nch software\expressinvoice\expressinvoice.exe [2008-10-29 864260]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-28 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-28 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-28 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-28 40552]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [2009-11-17 32736]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2009-11-17 220128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
S4 0065711279864646mcinstcleanup;McAfee Application Installer Cleanup (0065711279864646);c:\windows\temp\006571~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\006571~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe --> c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [?]
S4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S4 NVDPservice;Neevia docuPrinter helper service;c:\program files\neevia.com\docuprinterpro7-30-08\neeviaDP6.lib [2008-7-30 2372448]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-10-19 90864]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [2008-4-28 61526]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-9-23 98304]

=============== Created Last 30 ================

2010-12-16 00:48:16 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{915d11b1-2cbd-4183-b226-eb2cdfd18976}\mpengine.dll
2010-12-15 06:52:22 -------- d-----w- c:\docume~1\blair\applic~1\ieSpell
2010-12-09 01:28:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-12-07 23:00:16 -------- d-sh--w- c:\documents and settings\blair\IECompatCache
2010-11-24 03:41:33 -------- d-----w- c:\program files\Typewriter Q10
2010-11-20 05:08:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\WD_SmartWareCommon
2010-11-20 04:58:06 -------- d-----w- c:\docume~1\blair\locals~1\applic~1\Western_Digital
2010-11-20 04:57:12 -------- d-----w- c:\docume~1\blair\applic~1\Western Digital
2010-11-20 04:57:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-11-20 04:56:35 -------- d-----w- c:\program files\Western Digital
2010-11-17 06:50:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Research In Motion
2010-11-17 05:25:30 112056 ----a-w- c:\windows\system32\acaptuser32.dll

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 06:49:20 256 ----a-w- c:\windows\system32\pool.bin
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 21:05:11 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 21:05:11 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

============= FINISH: 7:51:30.70 ===============


4) *FRESH REPEAT* Attachment of atttach.txt (as a zip file)

*Please see attached zip file.Attached File  Attach.zip   6.02KB   1 downloads

Please advise. I had so many problems rebooting after the GMER scan froze and wouldn't start-up again last week, that I've only rebooted the machine once since -- for the Security update -- and just disconnect from the internet when I leave it for the night. Needless to say, I'm eager to follow your next set of instructions to get this diagnosed and solved.

Thanks so much for letting me know I'd been seen... I'll be here at my desk to do what you ask, thanks~!

Edited by Grateful Gal, 16 December 2010 - 11:18 AM.


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 PM

Posted 16 December 2010 - 08:24 PM

Thanks for the new logs. We need new logs because a lot can happen in a week and it is important to see exactly what is going on in your computer.

I will not be able to help you but someone should respond very quickly, once I post that you still need help.

DR

#5 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 16 December 2010 - 08:47 PM

Yeah, looking forward to that, thanks.

(Just wondering, why do the instructions tell us to post logs if they'll be out of date by the time someone is able to get to it? I know you're all volunteers, and you don't even have a tip jar or way to donate by Paypal -- both of which I suggested and would use to ease some of the burden on you guys -- so I suspect you guys didn't write the instructions. but it seems unproductive to do it first when we'll have to do it again a week later.)

And if you ever open that tip jar, I'll be right there for you to put my $$ where my "thanks" are ~

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:59 PM

Posted 17 December 2010 - 12:47 AM

Hello

See I told you it would only be a couple of more days.

and to answer your question - we have alot of poeple helping at different expertize levels and they will use the logs to see if they think they can handle the log - we also have poeple helping that can only take a log or two a week and they will grab newer logs in hope of getting a reply back



I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 17 December 2010 - 02:09 AM

Thanks Gringo --

SHORT VERSION -- Should I run ComboFix even with a phantom warning I'm getting?

DETAILS:

For nearly an hour I've been trying to follow these instructions so I could post before bed (I know the routine well from studying the forums) but here's the problem -- (and I hope you can advise so I'll have further instructions in the morning) --

I've disabled MS Security Essentials, and WinPatrol, which are the only two things that show in my bar.
(I had used RevoUninstaller months ago to get rid of McAfee when it failed.)
I even checked all my programs to confirm that I wasn't running anything A/V, and found something that wasn't running (Windows Live OneCare) but I'd never heard of it so I uninstalled it.

--> But before ComboFix would run, it warns me that I have McAfee VirusScan live and monitoring -- the warning said to disable it before going further. I closed ComboFix [had to use Process Explorer to "kill process" because closing it in the task bar would just restart or advance the warning window] and went hunting for a program I don't have.

Needless to say, it doesn't show up anywhere, not in programs, revoUninstaller shows it's gone, but doing a long/slow "search" of anything named "mcafee" showed there were still some dead shortcuts buried in a file, and some McAfee logo gifs buring in an AOL file (which I don't use), and some empty folders with that in the name... so I deleted them all, emptied the trash, ran the search again, found nothing (not even searching the word "virusscan").

I tried to start ComboFix again, but I go the same warning -- this time, I clicked the "X" to try to close the program to write this to you, but it just gave me a different WARNING -- about "you've chosen to go ahead and run ComboFix with McAfee scanning so if you press OK you know it's dangerous" or something scary like that.

So I closed the ComboFix program again, then re-enabled my MS Security Essentials A/V, and came over to tell you about it -- but the ComboFix restarted itself and started to "back-up the registery" for two seconds before I "X"ed out and dragged it to the Trash. I said that it was a read only program and did I really wanna trash it, but it was the only way to stop it, so I did. Jeeze, all these warnings have me freaked out.

There seems to be no instance of "McAfee" anywhere on my machine -- but the ComboFix warnings are very graphic about possible damage to my machine, so I thought I'd better ask and see what you advise in the morning... I hate this set-back, but you'll know what to tell me --

Thanks~ G'night... be back in the morning. And I haven't been shuutting down because the reboot isn't a sure thing and I can't have it not start up, so I'll disconnect from the internet overnight, and check back here in the morning. Maybe it's as simple as rebooting to clear the McAfee warning, but as I said, reboots are risky and I've been on pins & needles all week...

Thanks~!

Edited by Grateful Gal, 17 December 2010 - 02:16 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:59 PM

Posted 17 December 2010 - 02:48 AM

Hello

Go ahead and run it and I will take care of it later - It is not running but a program is reporting to windows that it is running - I will tell that program that it is no longer on the computer


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 17 December 2010 - 02:20 PM

Thanks Gringo -- please find:

1) ISSUES that came up
2) COMBOFIX LOG


1) ISSUES ----------------

It reported that I didn't have Recovery Console installed and requested to get it, I allowed;
instantly, it reported "failed to download files - aborting." So Recovery Console WAS NOT INSTALLED.

It ran the scan thru the 50 stages; it deleted some files and folders; it rebooted the PC.

The same error I always get these day came with the reboot:
THAT ERROR READS:
svchost.exe Application Error
The instruction at "0x7c91b21a" referenced memory at "0x00000010". That memory could not me "written."

I clicked "cancel to debug" as always and the log was prepared.
I restarted MS Security Essentials before coming here --


2) COMBOFIX LOG -------------------

ComboFix 10-12-16.02 - Blair 12/17/2010 10:45:03.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1431 [GMT -8:00]
Running from: c:\documents and settings\Blair\Desktop\ComboFix.exe
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Blair\Application Data\EurekaLog
c:\documents and settings\Blair\g2mdlhlpx.exe
c:\documents and settings\Blair\GoToAssistDownloadHelper.exe
c:\documents and settings\Blair\Recent\Thumbs.db
c:\documents and settings\Blair\System
c:\documents and settings\Blair\System\win_qs8.jqx
C:\Install.exe
c:\windows\ST6UNST.000
c:\windows\system32\Thumbs.db
c:\windows\system32\gotomon.log . . . . Failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))
.

2010-12-17 07:06 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9F5AE97-B2EF-428A-94BD-314F3765ADF7}\mpengine.dll
2010-12-17 01:07 . 2010-12-17 01:07 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-12-15 06:52 . 2010-12-15 06:52 -------- d-----w- c:\documents and settings\Blair\Application Data\ieSpell
2010-12-09 02:24 . 2010-12-09 02:27 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-09 01:28 . 2010-12-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-09 01:28 . 2010-12-09 01:28 -------- d-----w- c:\program files\Alwil Software
2010-12-07 23:00 . 2010-12-07 23:00 -------- d-sh--w- c:\documents and settings\Blair\IECompatCache
2010-11-24 03:41 . 2010-11-24 03:43 -------- d-----w- c:\program files\Typewriter Q10
2010-11-20 05:08 . 2010-11-20 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-11-20 04:58 . 2010-11-20 04:58 -------- d-----w- c:\documents and settings\Blair\Local Settings\Application Data\Western_Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\Blair\Application Data\Western Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-11-20 04:56 . 2010-11-20 04:56 -------- d-----w- c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 04:33 . 2010-04-17 03:52 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 17:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 17:51 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-04-16 01:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 21:05 . 2010-10-14 21:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 21:05 . 2010-04-20 02:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-23 02:47 . 2010-11-17 05:25 112056 ----a-w- c:\windows\system32\acaptuser32.dll
2010-09-18 19:23 . 2004-08-10 17:51 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"F5D8055v2"="c:\program files\Belkin\F5D8055\v2\Belkinwcui.exe" [2009-04-08 1662976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 51 (0x33)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"PCPitstop Scheduling"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NVDPservice"=3 (0x3)
"McShield"=2 (0x2)
"MsMpSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Blair\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" -logon
"IndexSearch"=c:\program files\ScanSoft\PAPERPORT\INDEXSEARCH.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" -hide -runkey
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AlphaSmart\\AlphaSmart IR Setup.exe"=
"c:\\Program Files\\Amazon\\MP3 Downloader\\AmazonMP3Downloader.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\Amazon\\Kindle For PC\\KindleForPC.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\WINDOWS\\system32\\wupdmgr.exe"=
"c:\\Program Files\\Final Draft 7\\Final Draft7.exe"=
"c:\\Documents and Settings\\Blair\\My Documents\\MY DOCS\\OE folders From C Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"=
"c:\\Documents and Settings\\Blair\\My Documents\\MY AUDIO\\Audible\\Bin\\AudibleDownloadHelper.exe"=
"c:\\Program Files\\Belkin\\F5D8055\\v2\\Belkinwcui.exe"=
"c:\\Program Files\\BookSmart\\BookSmart.exe"=
"c:\\Program Files\\OE Express Assist 10\\EA10.EXE"=
"c:\\Program Files\\D-Link\\D-Link DWL-650 Control Utility\\Config.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\3-SCRIPT PROGRAMS\\Movie Magic Screenwriter\\CONFIGWZ.EXE"=
"c:\\Program Files\\Copernic Desktop Search - Home\\DesktopSearch.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry\\DesktopMgr.exe"=
"c:\\Program Files\\Neevia.Com\\docuPrinterPro7-30-08\\dprint.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe"=
"c:\\Program Files\\Microsoft Reader\\msreader.exe"=
"c:\\Program Files\\Microsoft Silverlight\\4.0.50917.0\\Silverlight.Configuration.exe"=
"c:\\Program Files\\NCH Swift Sound\\ToolBox\\toolbox.exe"=
"c:\\Program Files\\OpenDNS Updater\\OpenDNSUpdater.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrolEx.exe"=
"c:\\Program Files\\YouSendIt\\Express\\YouSendIt.exe"=
"c:\\Program Files\\Revo Uninstaller\\revouninstaller.exe"=
"c:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\i386\\dllhost.exe"=
"c:\\dell\\Utilities\\Driver Reset Tool\\Driver Reset.exe"=
"c:\\Program Files\\NCH Software\\ExpressInvoice\\expressinvoice.exe"=
"c:\\Program Files\\AlphaSmart\\getutil.exe"=
"c:\\Program Files\\Birnam Labs\\netChimes\\netChimes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\i386\\wscript.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 59283962;59283962 Boot Guard Driver;c:\windows\system32\drivers\59283962.sys [4/15/2010 11:53 PM 37392]
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 9:32 AM 15328]
R1 59283961;59283961;c:\windows\system32\drivers\59283961.sys [4/15/2010 11:53 PM 128016]
R1 64370221;64370221;c:\windows\system32\drivers\64370221.sys [4/15/2010 6:16 PM 128016]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R1 setup_9.0.0.722_16.04.2010_05-11drv;setup_9.0.0.722_16.04.2010_05-11drv;c:\windows\system32\drivers\5928396.sys [4/15/2010 11:53 PM 315408]
R2 ToolTipFixer;ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10/14/2008 9:33 AM 61952]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 5:38 AM 31896]
S0 64370222;64370222 Boot Guard Driver;c:\windows\system32\DRIVERS\64370222.sys --> c:\windows\system32\DRIVERS\64370222.sys [?]
S3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [10/29/2008 5:37 PM 864260]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [11/17/2009 3:49 AM 32736]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [11/17/2009 3:49 AM 220128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S4 0065711279864646mcinstcleanup;McAfee Application Installer Cleanup (0065711279864646);c:\windows\TEMP\006571~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\006571~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 NVDPservice;Neevia docuPrinter helper service;c:\program files\Neevia.Com\docuPrinterPro7-30-08\neeviaDP6.lib [7/30/2008 10:38 AM 2372448]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/19/2010 11:50 AM 90864]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [4/28/2008 6:13 PM 61526]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/23/2009 9:52 AM 98304]
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {C61F6B9D-C575-4205-82D9-BBE611B28348}
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
Notify-!SASWinLogon - (no file)
Notify-GoToMyPC - (no file)
Notify-PRISMAPI - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 10:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NVDPservice]
"ImagePath"="c:\program files\neevia.com\docuPrinterPro7-30-08\neeviaDP6.lib"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="0209C05-A8A4-04B0-1731-A3A7"
"Licence"="01EA0E9-F059-2C74-022D-7F2A"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
.
**************************************************************************
.
Completion time: 2010-12-17 11:00:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-17 18:59

Pre-Run: 137,330,733,056 bytes free
Post-Run: 137,275,543,552 bytes free

- - End Of File - - D00FAE298AD00F78CA3D20CE21FCC332


You ask how the computer is doing now? I won't know until I reboot and try to download Firefox, or update PCMatic or see if Process Explorer can maintain its instruction to replace Task Manager after a reboot -- but I'm not sure I should mess around with any of that until I hear back from you, so I won't. The Combofix process was nice and quiet, where I often hear load revving/spinning, and see 50% or more CPU usage for no reason, so that's nice.

I am concerned about that the big "WARNING: you don't have Recovery Console installed!" -- What's up with that?
And I don't "have" McAfee, so that's odd to see it all over... I'll use whichever A/V you tell me to.

FYI -- I'm very familiar with all my files/programs, so I can explain any you don't recognize. Well, google can too, so...

Awaiting your instructions before doing ANYTHING -- ha!

Thanks ~

PS: In your instructions, you might want to add these two notes:
a) that the scan may run from 7 - 20 minutes, but will beep when it needs you so you can walk away;
B) that you should (or shouldn't) click error messages you get upon reboot <-- I wasn't sure

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:59 PM

Posted 17 December 2010 - 05:56 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Driver::
59283962
59283961
64370221
setup_9.0.0.722_16.04.2010_05-11drv
64370222

File::
c:\windows\system32\drivers\59283962.sys
c:\windows\system32\drivers\59283961.sys
c:\windows\system32\drivers\64370221.sys
c:\windows\system32\drivers\5928396.sys

SecCenter::
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}



Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 17 December 2010 - 09:28 PM

Ooh! Thanks Gringo -- this is so exciting! A "custom script" -- all for me? How neat!

I'll do it right now, with first closing everything and disabling security, etc. Be back with logs shortly, but I wish there was a test or something that I should do to let you know how the computer runs thereafter, per you point #3... I noticed that my right-context menu still sometimes messes up and tries to move or copy a file, when I try to do something else, like make a zip of it.

I've got a few questions for you:

1) Did the Combofix run the GMER for me, since I couldn't?
2) Can you tell me why my PC wouldn't let the GMER scam run?
3) Do I need to install whatever the "Recovery Console" is? If so, how?
4) I do pay for GoToMeeting (by Citrix), which a Rep needed to adjust using GoToAssit a few months ago -- I see that "downloadHelper" was deleted, but was that just in an abundance of caution? If I need them to configure my subscription again, they'll need me to use it again -- any concerns?
5) Were the other 8 files all trojans or something?
6) What about the "gotomon" log that "failed to delete" -- is that okay?

Okay, I'll shut up and go get the script running the Combofix and get the logs back to you -- this is AWESOME to do this with you -- it's really something I'd pay for, so you guys should consider a "patrons order" that lets people who want to pay for one-on-one help and education pay for it... I'm actually down to my last few bucks so I shouldn't offer, but it's so-so-so great that you're helping so many people. THANKS.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:59 PM

Posted 17 December 2010 - 10:03 PM

1) Did the Combofix run the GMER for me, since I couldn't?
It ran part of gmer but it does this normaly

2) Can you tell me why my PC wouldn't let the GMER scam run?
No I can't as it could be lots of reasons

3) Do I need to install whatever the "Recovery Console" is? If so, how?
When you run the script you need to be online and it will be installed

4) I do pay for GoToMeeting (by Citrix), which a Rep needed to adjust using GoToAssit a few months ago -- I see that "downloadHelper" was deleted, but was that just in an abundance of caution? If I need them to configure my subscription again, they'll need me to use it again -- any concerns?
It may need to be reinstalled - it is a program that has been used by the bad guys before and the type of program that it is

5) Were the other 8 files all trojans or something?
They don't look bad but what I asked for to be scripted looks to be conserned about

6) What about the "gotomon" log that "failed to delete" -- is that okay?
that is part of the GoToAssit and is only a log and nothing to worry about

it's really something I'd pay for, so you guys should consider a "patrons order" that lets people who want to pay for one-on-one help and education pay for it... I'm actually down to my last few bucks so I shouldn't offer, but it's so-so-so great that you're helping so many people. THANKS.

we do put in paypal links so you can donate if you wish, I put in mine at the end


let me have the new report when complete


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 17 December 2010 - 10:19 PM

Hi Gringo --

In addition to the questions and info above (or below, in my prior post), please find:

1) ISSUES
2) 2nd COMBOFIX LOG

1) ISSUES
Having the CFScript.txt run the Combofix was fine,
other than it again warned that I didn't have the RECOVERY CONSOLE,
again failed to download those files & aborted,
again ran (at my "OK") regardless.
DO I NEED THIS RECOVER CONSOLE? IF SO, HOW DO I GET IT?

And I got the same error screen on the reboot:
THAT ERROR READS:
svchost.exe Application Error
The instruction at "0x7c91b21a" referenced memory at "0x00000010". That memory could not me "written."

HOW DO I CORRECT THAT & GET IT TO STOP (since it holds up all my start-up programs)?

THEN a new icon came into my Notification Area -- a light blue "Q" -- Maybe Quicktime? Nothing I ever have on star-up usually, and now that the "FIND 3M" screen from Combofix is closed, it's gone.

BUT my "Process Explorer" (a great program) did not stick as "replace Task Manager" after the reboot --
AND I downloaded the latest Firefox 3.6 (my preferred browser ) and it downloaded fine (it wouldn't before) but I got the same error that led to this suspicion of a Rootkit Virus -- it won't connect. And I'm connected here, so that's still broken.

Anything I've tried to update or download in the last few months has failed, with some errors (and the only advice online) saying to "allow" it in the Firewall list (that never helped, even pulling them off the list and relisting them), or to turn my Firewall off, and the Windows Firewall had no place to do that -- I even have MS Security Essentials OFF right now still (due to the Combofix scan) and I still can't get Firefox to connect. UGH!

I haven't tested anything else, but that issue (for any program/update) is the biggest -- what's wrong with my stupid machine?

2) 2nd COMBOFIX LOG

ComboFix 10-12-16.02 - Blair 12/17/2010 18:40:37.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1443 [GMT -8:00]
Running from: c:\documents and settings\Blair\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Blair\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\system32\drivers\5928396.sys"
"c:\windows\system32\drivers\59283961.sys"
"c:\windows\system32\drivers\59283962.sys"
"c:\windows\system32\drivers\64370221.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\5928396.sys
c:\windows\system32\drivers\59283961.sys
c:\windows\system32\drivers\59283962.sys
c:\windows\system32\drivers\64370221.sys
c:\windows\system32\gotomon.log
c:\windows\system32\gotomon.log . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_59283961
-------\Legacy_59283962
-------\Legacy_64370221
-------\Legacy_64370222
-------\Legacy_SETUP_9.0.0.722_16.04.2010_05-11DRV
-------\Service_59283961
-------\Service_59283962
-------\Service_64370221
-------\Service_64370222
-------\Service_setup_9.0.0.722_16.04.2010_05-11drv


((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-17 19:03 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{01CB222C-6371-498F-8FF0-D2A4405F6E2A}\mpengine.dll
2010-12-17 01:07 . 2010-12-17 01:07 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-12-15 06:52 . 2010-12-17 19:19 -------- d-----w- c:\documents and settings\Blair\Application Data\ieSpell
2010-12-09 02:24 . 2010-12-09 02:27 -------- d-----w- c:\program files\Windows Live Safety Center
2010-12-09 01:28 . 2010-12-09 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-09 01:28 . 2010-12-09 01:28 -------- d-----w- c:\program files\Alwil Software
2010-12-07 23:00 . 2010-12-07 23:00 -------- d-sh--w- c:\documents and settings\Blair\IECompatCache
2010-11-24 03:41 . 2010-11-24 03:43 -------- d-----w- c:\program files\Typewriter Q10
2010-11-20 05:08 . 2010-11-20 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\WD_SmartWareCommon
2010-11-20 04:58 . 2010-11-20 04:58 -------- d-----w- c:\documents and settings\Blair\Local Settings\Application Data\Western_Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\Blair\Application Data\Western Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Western Digital
2010-11-20 04:57 . 2010-11-20 04:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-11-20 04:56 . 2010-11-20 04:56 -------- d-----w- c:\program files\Western Digital

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-08-10 18:02 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-10 04:33 . 2010-04-17 03:52 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-06 00:26 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 17:51 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 17:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 17:51 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-19 20:51 . 2010-04-16 01:02 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-14 21:05 . 2010-10-14 21:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-14 21:05 . 2010-04-20 02:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-23 02:47 . 2010-11-17 05:25 112056 ----a-w- c:\windows\system32\acaptuser32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 56080]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"F5D8055v2"="c:\program files\Belkin\F5D8055\v2\Belkinwcui.exe" [2009-04-08 1662976]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 51 (0x33)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"stllssvr"=3 (0x3)
"PCPitstop Scheduling"=3 (0x3)
"mnmsrvc"=3 (0x3)
"NVDPservice"=3 (0x3)
"McShield"=2 (0x2)
"MsMpSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Google Update"="c:\documents and settings\Blair\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" -logon
"IndexSearch"=c:\program files\ScanSoft\PAPERPORT\INDEXSEARCH.EXE
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" -hide -runkey
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AlphaSmart\\AlphaSmart IR Setup.exe"=
"c:\\Program Files\\Amazon\\MP3 Downloader\\AmazonMP3Downloader.exe"=
"c:\\Program Files\\Citrix\\GoToMyPC\\g2svc.exe"=
"c:\\Program Files\\Amazon\\Kindle For PC\\KindleForPC.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\WINDOWS\\system32\\wupdmgr.exe"=
"c:\\Program Files\\Final Draft 7\\Final Draft7.exe"=
"c:\\Documents and Settings\\Blair\\My Documents\\MY DOCS\\OE folders From C Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"=
"c:\\Documents and Settings\\Blair\\My Documents\\MY AUDIO\\Audible\\Bin\\AudibleDownloadHelper.exe"=
"c:\\Program Files\\Belkin\\F5D8055\\v2\\Belkinwcui.exe"=
"c:\\Program Files\\BookSmart\\BookSmart.exe"=
"c:\\Program Files\\OE Express Assist 10\\EA10.EXE"=
"c:\\Program Files\\D-Link\\D-Link DWL-650 Control Utility\\Config.exe"=
"c:\\Program Files\\CCleaner\\CCleaner.exe"=
"c:\\Documents and Settings\\All Users\\Start Menu\\Programs\\3-SCRIPT PROGRAMS\\Movie Magic Screenwriter\\CONFIGWZ.EXE"=
"c:\\Program Files\\Copernic Desktop Search - Home\\DesktopSearch.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry\\DesktopMgr.exe"=
"c:\\Program Files\\Neevia.Com\\docuPrinterPro7-30-08\\dprint.exe"=
"c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\MSInfo\\msinfo32.exe"=
"c:\\Program Files\\Microsoft Reader\\msreader.exe"=
"c:\\Program Files\\Microsoft Silverlight\\4.0.50917.0\\Silverlight.Configuration.exe"=
"c:\\Program Files\\NCH Swift Sound\\ToolBox\\toolbox.exe"=
"c:\\Program Files\\OpenDNS Updater\\OpenDNSUpdater.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrolEx.exe"=
"c:\\Program Files\\YouSendIt\\Express\\YouSendIt.exe"=
"c:\\Program Files\\Revo Uninstaller\\revouninstaller.exe"=
"c:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\RUNSAS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\i386\\dllhost.exe"=
"c:\\dell\\Utilities\\Driver Reset Tool\\Driver Reset.exe"=
"c:\\Program Files\\NCH Software\\ExpressInvoice\\expressinvoice.exe"=
"c:\\Program Files\\AlphaSmart\\getutil.exe"=
"c:\\Program Files\\Birnam Labs\\netChimes\\netChimes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wscript.exe"=
"c:\\i386\\wscript.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [5/20/2008 9:32 AM 15328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]
R2 ToolTipFixer;ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [10/14/2008 9:33 AM 61952]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [3/28/2009 5:38 AM 31896]
S3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [10/29/2008 5:37 PM 864260]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [11/17/2009 3:49 AM 32736]
S3 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [11/17/2009 3:49 AM 220128]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S3 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S4 0065711279864646mcinstcleanup;McAfee Application Installer Cleanup (0065711279864646);c:\windows\TEMP\006571~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\006571~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S4 NVDPservice;Neevia docuPrinter helper service;c:\program files\Neevia.Com\docuPrinterPro7-30-08\neeviaDP6.lib [7/30/2008 10:38 AM 2372448]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [10/19/2010 11:50 AM 90864]
S4 PRISMSVC;PRISMSVC;c:\windows\system32\PRISMSVC.exe [4/28/2008 6:13 PM 61526]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [9/23/2009 9:52 AM 98304]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-12-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} - hxxps://browsercheck.qualys.com/qbc_ax.cab
DPF: {C61F6B9D-C575-4205-82D9-BBE611B28348}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 18:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NVDPservice]
"ImagePath"="c:\program files\neevia.com\docuPrinterPro7-30-08\neeviaDP6.lib"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Setup"="0209C05-A8A4-04B0-1731-A3A7"
"Licence"="01EA0E9-F059-2C74-022D-7F2A"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\system32\PRISMAPI.DLL

- - - - - - - > 'explorer.exe'(1076)
c:\windows\system32\WININET.dll
c:\documents and settings\Blair\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
.
**************************************************************************
.
Completion time: 2010-12-17 18:57:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-18 02:57
ComboFix2.txt 2010-12-17 19:00

Pre-Run: 137,280,909,312 bytes free
Post-Run: 137,324,474,368 bytes free

- - End Of File - - 43E58E6AF1F3E5FBE02CF339BDB545F7


~~~~~~~ Many thanks Gringo -- I don't mean to get frustrated with you, you're wearing the White Hat!

Please advise --

Still Grateful (Gal)

#14 Grateful Gal

Grateful Gal
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:59 PM

Posted 17 December 2010 - 10:45 PM

Gringo --

While looking at the log and seeing all those files named in the "Firewall Policy Authorization" reg key (and noting that most of them won't update or connect to the internet -- like the Kindle for PC, my Blackberry stuff, anything I've tried to update or use in the last 5 months or so -- I thought of two more things that might interest you.

A-) Back in April, when a lot of this started, someone suggested that if I couldn't connect with some programs, I check my Internet Options>Connections>LAN Settings> but the "automatic" option WAS already unchecked, and I use NO proxy.

B-) ALSO -- around then, the Trojan that SuperAntiSpyware found had something to do with my DEP (Data Execution Protection) settings, and I see (in the properties of what's running (via Process Explorer) that my DEP is disabled -- is that right? Is that hurting me?

After I had to reinstall all of my .NET stuff using XP/TC-IP Repair (see my original post for that story) and reinstall all of the Service Packs on top (as directed), and maybe that was done in Recovery Console mode, because that's a familiar term -- but after that, all of my Internet Options > Security settings and Advanced tab check-boxes were changed and I had to reset them from memory... I've never been sure I got them right --
DO YOU GUYS HAVE A RECOMMENDED LIST for settings in that arena?

Okay, I'll shut up and let you get to the log -- thanks so much for answering my questions, too. The problems are clearly not over.

I've got my email on BB so I'll run to the computer when I see you've replied, thanks!

Edited by Grateful Gal, 17 December 2010 - 10:47 PM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:59 PM

Posted 17 December 2010 - 10:46 PM

Hello

are you connected to the internet when you run combofix?

can you access windows update site?

How long have you had these problems?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users