Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'hello4' virus


  • This topic is locked This topic is locked
9 replies to this topic

#1 krisalf

krisalf

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 May 2011 - 10:43 PM

Hi There,

I recently had the 'hello4' virus on my computer and I think i successfully removed it using SuperAntiSpyware. I am running XP professional. My problem now is that nothing on my computer works:

- Unable to open pdf documents. Get the message ' There was an error opening this document. Access denied'
- Unable to open any office documents. I get the message: 'unable to access ...xls/doc etc. The document may be read-only or encrypted'
- Unable to open OutLook. I get the message 'You do not have permission to access the file C:/....outlook.ost.
- Unable to open many of my other work-related programs. Get different errors but mainly along the lines of access denied, or no permission.
- Unable to copy any of my documents onto an external harddrive or USB. I get the message 'cannot copy xxxx. Access is denied'. On the flip side, I am able to open pdf and microsoft office documents from external storage devices.
- Unable to attach any documents to my web email (yahoo & gmail). I get an error message and it doesn't attach. I am able to download documents off the internet and open them on my computer and save them to my external USB drives.

I realise my computer is probably screwed and needs re-formatting but I need to find a way to backup all my important documents before I do so. I have tried doing a system restore to a previous good point but I'm unable to select any date before I erased the virus. I also tried a few more things as suggested in this post but to no avail:

http://www.bleepingcomputer.com/forums/topic397435.html/page__gopid__2249636#entry2249636.

Here is the dds.txt. I've attached the other files.

Thanks


.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by KAlfthan at 20:31:24.81 on Sun 05/15/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3572.3226 [GMT -6:00]
.
AV: VirusScan Enterprise + AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\kalfthan\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://hub.slb.com
uDefault_Page_URL = hxxp://hub.slb.com
mDefault_Page_URL = hxxp://hub.slb.com
uInternet Settings,ProxyOverride = <local>;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: ViewerHelper Class: {78104a01-8e71-4f30-9a36-3793799615b4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [COMMUNICATOR] "c:\program files\microsoft office communicator\Communicator.exe" /silentRetrials /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Registry Reviver] c:\program files\reviversoft\registry reviver\RegistryReviver.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [EFS] c:\windows\system32\wscript.exe c:\progra~1\novadigm\SLB_EFS.VBS
mRun: [CMGShieldUI] c:\windows\system32\CMGShieldUI.exe
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\connec~1.lnk - c:\program files\connected\CBSysTray.exe
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-system: DisableChangePassword = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {685ec120-f786-4498-a8f0-794d47916161} - {C733FB84-6DB3-4363-8AA7-678F9B5E828E} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {aede78a6-42b6-4c3c-96eb-5ae6dbec4859} - {78104A01-8E71-4F30-9A36-3793799615B4} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Trusted Zone: abbeyinternational.com
Trusted Zone: accenture.com
Trusted Zone: alpinemud.com
Trusted Zone: atbalance.com
Trusted Zone: atosorigin-asp.com
Trusted Zone: atosorigin-asp.com\*.slb
Trusted Zone: books24x7.com
Trusted Zone: boydsrental.com
Trusted Zone: citibank.com
Trusted Zone: coiltubingservices.com
Trusted Zone: dell.com
Trusted Zone: drillmotors.com
Trusted Zone: dutchco.com
Trusted Zone: dyna-drill.com
Trusted Zone: dynadrill.com
Trusted Zone: ecutec.com
Trusted Zone: ecutec.eu
Trusted Zone: emhobbs.com
Trusted Zone: employcareers.com
Trusted Zone: enertech-ws.com
Trusted Zone: etrade.com
Trusted Zone: extremeeng.com
Trusted Zone: geodiamond.com
Trusted Zone: geoquest.com
Trusted Zone: geoservices.com
Trusted Zone: indigopool.com
Trusted Zone: innerlogix.com
Trusted Zone: intouchsupport.com
Trusted Zone: iwilson.com
Trusted Zone: microsoft.com
Trusted Zone: miswaco.com
Trusted Zone: miswaco.com\web
Trusted Zone: ml.com
Trusted Zone: mydexa.com
Trusted Zone: nexusgeo.com
Trusted Zone: omniseals.com
Trusted Zone: pathfinder-int.com
Trusted Zone: pathfinder-ltd.co.uk
Trusted Zone: pathfinderlwd.com
Trusted Zone: perfolog.com
Trusted Zone: petroal.ru
Trusted Zone: petroalliance.com
Trusted Zone: siismithservices.com
Trusted Zone: skillport.com
Trusted Zone: skillsoft.com
Trusted Zone: slb.com\*.aodc
Trusted Zone: smith-innerarmor.com
Trusted Zone: smith-intl.com
Trusted Zone: smith.com
Trusted Zone: smith.com\smithlink
Trusted Zone: smithbits.com
Trusted Zone: smithborehole.com
Trusted Zone: smithdrilling.com
Trusted Zone: ssafara.net
Trusted Zone: standardchartered.com\webbank
Trusted Zone: sweco.com
Trusted Zone: thomastools.com
Trusted Zone: unitedwire.com
Trusted Zone: virtualbranches.com
Trusted Zone: weirhouston.com
Trusted Zone: westerngeco.com
Trusted Zone: whdrillingsolutions.com
Trusted Zone: whes.com
Trusted Zone: wilsonconfidential.com
Trusted Zone: wilsonconfidential.com\www
Trusted Zone: wilsononline.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
DPF: {28CB79B1-9311-4F75-BCDE-83660E829CBD} - hxxp://crm-ofs.aodc.slb.com/sales_enu/19227/applets/SiebelAx_HI_Client.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229702934381
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229703551656
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} - hxxp://crm-ofs.aodc.slb.com/sales_enu/19227/applets/SiebelAx_Desktop_Integration.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
Filter: application/msword - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-excel - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/vnd.ms-powerpoint - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Filter: application/x-microsoft-rpmsg-message - {DFF82902-0B96-3B98-6F62-D655E146A23A} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Handler: rmh - {23C585BB-48FF-4865-8934-185F0A7EB84C} - c:\program files\microsoft\rights management add-on\RMAFilt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: c - Asynchronous
Notify: CMGShieldNP - CmgShieldNP.dll
Notify: itlntfy - itlnfw32.dll
Notify: Logon - Asynchronous
Notify: Q2 - Asynchronous
Notify: slbScCertProp - c:\windows\system32\ScCertProp.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\kalfthan\applic~1\mozilla\firefox\profiles\a9u5lb9h.default\
FF - prefs.js: browser.startup.homepage - hxxp://hub.slb.com/
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CmgHiber;CmgHiber;c:\windows\system32\drivers\CmgHiber.sys [2009-7-30 100976]
R0 CmgShieldCEF;CmgShieldCEF;c:\windows\system32\drivers\CMGShCEF.sys [2009-7-30 283760]
R0 CMGShieldReg;CMGShieldReg;c:\windows\system32\drivers\CmgShREG.sys [2009-7-30 22640]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2010-2-18 244368]
R3 tmobile_mf691_dc_enum;T-Mobile MF691 DC Enumerator;c:\windows\system32\drivers\tmobile_mf691_dc_enum.sys [2010-4-9 80000]
S0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-3-8 343664]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
S1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
S2 CMGShield;CMGShield;c:\windows\system32\cmgshieldsvc.exe --> c:\windows\system32\CmgShieldSvc.exe [?]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-4 14336]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\mcafee\virusscan enterprise\engineserver.exe [2009-8-31 21256]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-11-10 103744]
S2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-8-31 146448]
S2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-8-31 66896]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-3-8 70728]
S2 MSSQL$DRILLING;SQL Server (DRILLING);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-9-5 29180768]
S2 R72_NT4;R72_NT4;c:\windows\system32\drivers\r72_nt4.sys --> c:\windows\system32\drivers\R72_NT4.sys [?]
S2 R72V2NT4;R72V2NT4; [x]
S2 vddidecr;Digital Delivery Decrypting Device;c:\windows\system32\drivers\vddidecr.sys [2007-5-7 109312]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-2-18 112512]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2010-2-18 32808]
S3 egxfilter;egxfilter;c:\windows\system32\drivers\egxfilter.sys [2010-2-18 93568]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-25 136176]
S3 massfilter;Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-12-31 9216]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-3-8 91672]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-3-8 43288]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-3-8 65448]
S3 tmobile_mf691_cdc_acm;T-Mobile MF691 CDC-ACM driver;c:\windows\system32\drivers\tmobile_mf691_cdc_acm.sys [2010-4-9 86016]
S3 tmobile_mf691_cdc_ecm;tmobile_mf691_cdc_ecm;c:\windows\system32\drivers\tmobile_mf691_cdc_ecm.sys [2010-4-9 50304]
S3 tmobile_mf691_cpo;T-Mobile webConnect CPO device;c:\windows\system32\drivers\tmobile_mf691_cpo.sys [2010-4-9 9728]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-12-31 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\ZTEusbvoice.sys [2010-12-31 105088]
S4 EMS;EMS;EMSService.exe --> EMSService.exe [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-25 136176]
.
=============== Created Last 30 ================
.
2011-05-16 02:31:24 98816 ----a-w- c:\temp\1.tmp\SED.DAT
2011-05-16 02:31:24 89088 ----a-w- c:\temp\1.tmp\MBR.DAT
2011-05-16 02:31:24 518144 ----a-w- c:\temp\1.tmp\SWREG.DAT
2011-05-16 02:31:24 256512 ----a-w- c:\temp\1.tmp\PEV.DAT
2011-05-16 02:27:31 518144 ----a-w- c:\temp\2.tmp\SWREG.DAT
2011-05-16 02:27:30 98816 ----a-w- c:\temp\2.tmp\SED.DAT
2011-05-16 02:27:27 256512 ----a-w- c:\temp\2.tmp\PEV.DAT
2011-05-16 02:27:25 89088 ----a-w- c:\temp\2.tmp\MBR.DAT
2011-05-16 02:21:58 98816 ----a-w- c:\temp\170.tmp\SED.DAT
2011-05-16 02:21:58 89088 ----a-w- c:\temp\170.tmp\MBR.DAT
2011-05-16 02:21:58 518144 ----a-w- c:\temp\170.tmp\SWREG.DAT
2011-05-16 02:21:58 256512 ----a-w- c:\temp\170.tmp\PEV.DAT
2011-05-15 06:03:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-15 06:02:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-14 05:07:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Schlumberger
2011-05-14 05:05:43 45056 ----a-w- c:\temp\{93f4b0bc-832a-4f13-baef-fff0277fef03}\Slb.Drilling.Services.Connection.dll
2011-05-14 05:05:30 21504 ----a-w- c:\temp\{93f4b0bc-832a-4f13-baef-fff0277fef03}\Slb.Drilling.Services.SQLServerSetupHelpers.dll
2011-05-14 02:12:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-05-13 08:28:42 -------- d-----w- c:\docume~1\kalfthan\locals~1\applic~1\Babylon
2011-05-13 08:28:39 -------- d-----w- c:\docume~1\kalfthan\applic~1\Babylon
2011-05-13 08:28:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Babylon
2011-05-13 08:20:35 -------- d-----w- c:\docume~1\kalfthan\applic~1\Reviversoft
2011-05-13 08:20:15 16704 ----a-w- c:\windows\system32\roboot.exe
2011-05-13 08:16:50 -------- d-----w- c:\docume~1\kalfthan\applic~1\Pointstone
2011-05-13 08:15:40 -------- d-----w- c:\program files\Pointstone
2011-05-13 02:39:42 49152 ----a-w- c:\temp\sagekey\sagekey.dll
2011-05-13 01:47:12 -------- d-----w- c:\program files\RegTweaker
2011-05-12 15:55:04 923248 ----a-w- c:\temp\00d37f26-bab0-7891-95c9-279b652a39fd\Setup.exe
2011-05-12 11:54:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-05-12 11:54:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-05-12 11:52:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-12 10:30:36 -------- d-----w- c:\program files\Sypbot
2011-05-12 09:22:30 1076736 ----a-w- c:\temp\00d37f26-bab0-7891-95c9-279b652a39fd\BabyServices.dll
2011-05-12 09:19:46 112128 ----a-w- c:\temp\00d37f26-bab0-7891-95c9-279b652a39fd\BException.dll
2011-05-12 04:24:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 02:05:47 -------- d-----w- c:\docume~1\kalfthan\applic~1\SUPERAntiSpyware.com
2011-05-12 02:05:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-12 00:14:34 -------- d-----w- c:\program files\Best Spyware Scanner
.
==================== Find3M ====================
.
.
============= FINISH: 20:32:06.09 ===============


Please help!

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:46 AM

Posted 27 May 2011 - 08:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 krisalf

krisalf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 May 2011 - 05:45 AM

Thanks for the reply. I haven't been able to resolve the problem...I was hoping someone on here would be able to help me salvage some of my documents before i re-image my computer. The symptoms are as described in the post above.
I've attached the DDS and GMER logs.

Thanks

Attached Files



#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:46 PM

Posted 29 May 2011 - 02:39 PM

Hi krisalf
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to try and help you get cleaned up.

Have you ever used this...
'CenturionMail' by CenturionSoft. CenturionMail is a security program for encrypting E-mails as well as files/folders. CenturionMail uses self-decrypting technology so your recipient needs nothing to open the encrypted email except the password.

Please do This.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista/Windows7 users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
  • The log can be located here if it was closed. C:\Combofix.txt
Note: Do not mouse click combofix's window while its running. That may cause it to stall

If you are prompted to install the Recovery Console, Please do so.

Please answer my question and post the Combofix log.
Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 krisalf

krisalf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 29 May 2011 - 06:57 PM

Hi Maranatha, Thanks for your help. The combofix log.txt file was apparently too big to upload here so I zipped it and uploaded it. Hope this is ok. I've never used centurion mail.

Thanks

kris

Attached Files



#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:46 PM

Posted 29 May 2011 - 11:19 PM

Hi

This is a work computer with credant encryption software and a un-encryption software
The problems you are having may be due to this software being corrupted.
Try to uninstall and reinstall CMG Windows Shield

I'm not sure we can fix what has been corrupted or where that may leave your clients documents.

Now the choice is yours, we can try to fix it, which may be a long haul.
It may require uninstalling and reinstalling of software that is corrupted.

If you wish to reformat then try uninstalling and reinstalling CMG Windows Shield
and see if you can then save the documents you are after.

Let me know
===================================================================================

If you want to try and fix it then do the steps below, Make sure you answer any of my questions from here on out

Reviversoft Has Bad reviews - any problems with it? I would remove it.

Do you know what this is? It is not "Spybot"
c:\program files\Sypbot

We need to check to see if these programs are working properly, If not they will need to be uninstalled and reinstalled.

c:\program files\iTunes\iTunesHelper
c:\program files\Malwarebytes' Anti-Malware
c:\program files\McAfee\Common Framework\udaterui .exe - Check to see that McAfee will update.
c:\program files\McAfee\VirusScan Enterprise
c:\program files\T-Mobile\webConnect Manager

Any problems with the Audio on your computer?


Please do this.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Posted Image
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.
KillAll::
RenV::
c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\windows\system32\EmsServiceHelper .exe
c:\program files\QuickTime\qttask                          .exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"itlsvc"=-
"itlperf"=-

Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 krisalf

krisalf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 01 June 2011 - 06:40 AM

Hi Maranatha, sorry for the late reply, I was away for the weekend.

So, a few things...I am unable to uninstall CMG windows shield...it doesn't appear in the add/remove programs list and I did a bit of research and apparently its uninstallable? Any ideas? I tried downloading some special uninstall programs but it doesn't appear in those either.

In terms of your other questions:

Do you know what this is? It is not "Spybot"
c:\program files\Sypbot
- Yes, this is actually spybot, i created a folder for it and just named it wrong.

We need to check to see if these programs are working properly, If not they will need to be uninstalled and reinstalled.

c:\program files\iTunes\iTunesHelper - No, this doesn't work. I'll try re-installing
c:\program files\Malwarebytes' Anti-Malware - Yes, works fine. I installed this after i had the problems though.
c:\program files\McAfee\Common Framework\udaterui .exe - Check to see that McAfee will update. - Nothing happens if i click on udaterui.exe, I can laucnch mcafee from my start menu, click 'update now' but once that's done the update bar never grows, just stays at '0'.
c:\program files\McAfee\VirusScan Enterprise - I can launch Mcafee from my start menu and it appears to work fine. It scans for viruses.
c:\program files\T-Mobile\webConnect Manager - No this doesn't work, this was just a software to use my 3G usb stick.

Any problems with the Audio on your computer? No problems, audio is fine.


In terms of the log, I had trouble generating it. ComboFix caused a process to terminate in CMG Shield and my computer shut down. When I restarted it, combofix was no longer on my computer!? I tried downloading it again but every time i tried to save it, i got an error message saying 'access denied, unable to save file, try a different location'. Tried saving it to different locations but none of them would work. I also tried downloading it from a different computer onto a usb and copying it accross but that didn't work either. I am still able to download other files off the the internet no problem and save and open them so starnge it won't let me do that with combofix...

As you say I think the problem is with the CMG encryption. Ideally i'd just like to remove that and try to save some of my important documents and then re-format my computer but at the moment I can't find a way to un-install it. I also tried to decrypt the files but i seem unable to do that too...

Thanks

Kris

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:46 PM

Posted 01 June 2011 - 07:25 AM

Hi
The program shows in DDS Attached.txt uninstall list?

See atachment below.

Do you have the program that you can reinstall it from? CD / DVD? or access to reinstalling it?

Your McAfee may need to be reinstalled if the Update is not working

Attached Files


Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 krisalf

krisalf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 04 June 2011 - 10:44 PM

hi maranatha,

I've managed to fix the problem...I was unable to uninstall CMG windows shield but what i did do was install a newer version of the software, booted my computer back up and suddenly everything works again...my programs work and i can open all my documents normally. Thanks for your help. I'll be able to get all the documents i need now and re-format my computer.

Thanks

kris

#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:10:46 PM

Posted 04 June 2011 - 11:07 PM

Hi krisalf
That's great, glad you found a fix.

Let me leave you with some recommendations.


The following is a list of tools and utilities that we recommend to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.
    To do this just Click > Start > All Programs Click on > Windows Update, and follow the online instructions from there.
    (It is recommended that you have Windows Updates set to download and install automatically.)

  • One of your first defenses against infections and hackers is an Anti-virus and Firewall
    These are a Must Have to help keep you protected in todayís Internet world.
    Here are some good ones and the best part, they are Free!

    Please Download and run only 1 AV and only 1 firewall.

    Anti-Virus
    AVGFree
    Avast
    Avira

    Firewall
    Comodo Firewall > During the setup process you will be given a choice, Please choose: Install the Firewall as a standalone
    Zonealarm Firewall

    Download, Update and scan your computer with the AV. Quarantine/Delete anything it finds.
    Make sure it is kept updated.
    Do regular scans. Most AVís can be scheduled to scan at a given time, this is also recommended.

    Also I suggest you read this.
    Understanding Firewalls

  • Malwarebytes' Anti-Malware (MBAM)
    http://www.malwarebytes.org/mbam.php (Home page)
    Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware.
    Some Key Features:
    Operating Systems: Microsoft ģ Windows 2000, XP, Vista and 7 (32-bit and 64-bit).
    Database updates released daily.
    Works together with other anti-malware utilities.
    This is a free program with the option of Activating a full version, unlocking realtime protection, scheduled scanning, and scheduled updating. There is a one time fee for the full version.
    Remember to ALWAYS check for and install available updates prior to scanning!

  • SpywareBlaster is a Freeware (for personal use) application that will help to prevent the installation of spyware and other potentially unwanted software. It accomplishes this by blocking the installation of many known bad ActiveX controls, spyware and tracking cookies, and restricting the actions of potentially unwanted sites. SpywareBlaster does not require any running or background processes to work once protections are enabled, which means it will not slow down your system in any way.
    Remember to check for and install available updates once a month!


  • SpywareGuard - A Spyware "Shield" to protect your computer, acting much like your antivirus real-time protection. It's features include scanning files for spyware before you open them, blocking spyware downloads in Internet Explorer and monitoring/preventing attempted browser hijacking. Small and lightweight, yet powerful! Compatible with Windows 98, ME, 2000 & XP
    FREEWARE (for personal use)

  • The MVPS Hosts File or similar HOSTS file will actually block a list of known bad sites from even loading in your browser. It can also be used to block ads, banners, 3rd party cookies and more. Operating system compatibility and installation instructions are provided.

  • Install WinPatrol to monitor some key registry locations, file system changes, and other important areas, and have it alert you of the changes BEFORE allowing them to take place.

  • Another thing we would suggest is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites. When using a search engine, The Ratings show up as small dots next to the web site. Green for Good, Yellow for Caution, Red for bad. Set your cursor on the dot for a small pop up window that provides more information on that web site.
    Web Browser: Internet Explorer 6 or 7. : Also works with Firefox.
    Operating System: Windows 2000 (Service Pack 4) Windows XP and Windows Vista

  • If you would prefer something other then McAfee SiteAdvisor, you can go with this.
    WOT Web Of Trust.
    This is also free and is a well respected tool.

Now just because you have security applications installed, they are useless unless updated regularly.
Most of the above recommended applications are updated periodically, and it's up to you to check for updates. Set aside time in a day each month to update all of your protections.


To find out more information about how you got infected in the first place and more great guidelines to follow to prevent future infections you can read
this article by Grinler

Surf Safely!
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users