Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Removal Tool Virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dogooder87

Dogooder87

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 12 April 2011 - 06:50 PM

Hello all. Hope someone can help. I find one of my computers infected with the MS Removal Tool virus and have tried all the steps found here http://www.bleepingcomputer.com/virus-removal/remove-ms-removal-tool with no success.

After reboot, MS Removal Tool continues to be there. Have also tried running SuperAntiSpyware.

Here is the DDS Log. Looking forward to any/all replies. Thanks! ~Jack

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 18:14:30.14 on Tue 04/12/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.277 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.yahoo.com
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [McAfee Update] c:\docume~1\admini~1\locals~1\temp\mcupdate_1302548393.exe /syncfin c:\docume~1\admini~1\locals~1\temp\mcupdate_1302548393.ini /insfin
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\compaq~1.lnk - c:\program files\compaq connections\5577497\program\Compaq Connections.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper2007261.dll
DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - hxxp://www.acclaim.com/cabs/acclaim_v8.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.greaterakronchamber.org/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
S0 gpuhw;gpuhw;c:\windows\system32\drivers\xoyecja.sys --> c:\windows\system32\drivers\xoyecja.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S2 LMIRescue_dcfb7f43-58d1-461c-aa50-3733843561bf;LogMeIn Rescue (dcfb7f43-58d1-461c-aa50-3733843561bf);c:\docume~1\compaq~1\locals~1\temp\lmir0001.tmp\LMI_Rescue_srv.exe [2011-4-9 2459512]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-4-22 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-4-22 40552]
.
=============== Created Last 30 ================
.
2011-04-12 18:57:33 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-12 18:57:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-11 18:57:24 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-04-11 18:57:15 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Google
2011-04-11 17:51:53 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-04-11 17:51:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-11 17:51:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-11 17:51:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-11 17:51:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-11 17:49:57 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-11 17:49:52 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-04-11 17:49:50 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-04-11 17:49:44 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2011-04-09 14:30:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\bId06504ePiEm06504
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2003-08-27 19:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
.
============= FINISH: 18:15:12.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Dogooder87

Dogooder87
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 15 April 2011 - 12:49 PM

Virus removed! Downloaded all renamed copies of Rkill (WiNlOgOn worked) and ran that and then everything else within the instructions.

Thanks!

~Jack

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:58 PM

Posted 17 April 2011 - 04:19 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users