Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Have "Windows XP Recovery" and TDSS


  • This topic is locked This topic is locked
19 replies to this topic

#1 bventure

bventure

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 08 June 2011 - 03:08 PM

On Monday June 6th at about 16:30 I suddenly started getting messages about “Windows XP Recovery”. I removed using bleepingcomputer instructions, and it went pretty much as expected except for the following:
• Kaspersky TDSSKiller found no TDSS rootkit.
• Had to rename Malwarebytes to install. This found 6 infected files. (Log below)
• Malwarebytes found TDSS, which TDSSKiller said wasn't present.
• Unhide finished OK and appeared to unhide everything, but dos window says “'PEV' is not recognized as an internal or external command, operable program or batch file." at end.

Given the divergences from the recommended removal procedure, and the fact that I probably now have TDSS, thought I'd better post this, firstly in case I still have any undetected infection and secondly for your information so you can if necessary update or expand the removal instructions.

Almost everything now appears to work OK, but
• All shortcuts have been deleted from C:\Documents and Settings\All Users\Start Menu\Programs. I have to go through replacing them manually. I copied most from another computer, but still have a few awkward ones to sort out.
• When trying to repair SQL Server 2008 as part of the above, I discovered I couldn’t open the CD drive. I assume the virus has disabled this, and I haven’t found a way of re-enabling it yet. Event viewer says (source ‘atapi’) - The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Also loads of Microsoft antimalware messages in event viewer, which don’t match what Malwarebytes found. See separate attachment with Security Essentials screens & antimalware event details. Security Essentials history lists the events shown in the event log, but shows TDSS as Allowed! When I select ‘Allowed’ it doesn’t list them so I can’t attempt to delete by this route. Maybe Malwarebytes already removed them? Judging by one of the event log messages the trojan attempted to delete Security Essentials history and failed. I have Security Essentials screenshots but too large to attach.

I also found (and removed) these entries via the “Windows XP Recovery”start menu icon properties.
• "C:\Documents and Settings\All Users\Application Data\16375588.exe"
• "C:\Documents and Settings\All Users\Application Data\16375588.exe" 1

I downloaded TDSSKiller again toady (as it had been updated) and ran it again, and it wasn’t happy with nv4_mini.sys, and said ‘skip’. I downloaded and installed a new set of NVIDIA drivers, and now TDSSKiller doesn’t complain, but I notice GMER still mentions this file as ‘writable sector’, so maybe still some issue here.

GMER I ran twice, as first time I got a blue screen after it had been checking Files for an hour or more. I ran once with Files unchecked, then again with only Files checked. The log from the first is attached; the Files scan reported all was well.

In summary then
• I got the “Windows XP Recovery” virus
• I fixed it with your instructions, with some notable variations
• It looks like it came with TDSS, but the tests are inconsistent on this.
• I think I have everything back apart from a few Start Menu shortcuts and my CD/DVD drive
• I don’t trust my machine at the moment!

Any help from here on in would be very gratefully received. I'm very concerend I may still have an active root kit.

Regards
Martin

Machine is Dell Vostro laptop with XP Pro SP3. Here are the logs.

====================================================================================================================


DDS.txt
====================================================================================================================
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Run by martin at 11:25:22 on 2011-06-08
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1188 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\IBM\SQLLIB\bin\db2dasrrm.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MicroStrategy\Enterprise Manager\MAEMETLS.exe
C:\Program Files\IBM\SQLLIB\bin\db2dasstm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\MicroStrategy\MSTRLsn.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\DataDirect\slserver55\bin\swagent.exe
C:\Program Files\DataDirect\slserver55\bin\swstrtr.exe
C:\Program Files\DataDirect\slserver55\bin\swsocw.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\IBM\SQLLIB\BIN\db2systray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\IBM\SQLLIB\java\jdk\jre\bin\javaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\MicroStrategy\MJMulPrc_32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=h3lg2RzgLeadPb8HrEvsiP50OTQ
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=uk-smb
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WISE-FTP Task Planner] "c:\program files\acebit\wise-ftp 6\wf_tp.exe" /bg
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [db2systray.exe DB2] c:\program files\ibm\sqllib\bin\db2systray.exe DB2
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\martin\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: principality.co.uk\remote
Trusted Zone: windowsupdate.com\download
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233361203343
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://fasthosts-events.webex.com/client/T27LB/nbr/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpnuk.mfglobal.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpnuk.mfglobal.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{9A30EFE1-77BA-4E23-B856-CE84877F5754} : DhcpNameServer = 192.168.2.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\martin\application data\mozilla\firefox\profiles\kyyhm29i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2010-4-16 65584]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-6-29 214664]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl9a94fbca;MpKsl9a94fbca;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52b17ede-6fde-4cb8-a2a3-789fd33b60b8}\MpKsl9a94fbca.sys [2011-6-7 28752]
R1 NEOFLTR_640_14063;Juniper Networks TDI Filter Driver (NEOFLTR_640_14063);c:\windows\system32\drivers\NEOFLTR_640_14063.sys [2009-3-11 77096]
R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-4-25 57144]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-6-23 1737464]
R2 MAEMETLS;MicroStrategy Enterprise Manager Data Loader;c:\program files\microstrategy\enterprise manager\MAEMETLS.EXE [2009-6-24 77912]
R2 MAPing;MicroStrategy Listener;c:\program files\common files\microstrategy\MSTRLsn.exe [2009-6-24 159744]
R2 MicroStrategy Intelligence Server;MicroStrategy Intelligence Server;c:\program files\microstrategy\intelligence server\MSTRSvr.exe [2009-6-24 159744]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2010-4-3 214880]
R2 MSSQL$SQL2008EXPRESS;SQL Server (SQL2008EXPRESS);c:\program files\microsoft sql server\mssql10.sql2008express\mssql\binn\sqlservr.exe [2009-3-30 43010392]
R2 MSSQL$SQL2008R2;SQL Server (SQL2008R2);c:\program files\microsoft sql server\mssql10_50.sql2008r2\mssql\binn\sqlservr.exe [2010-4-3 42884448]
R2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\oracle.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [?]
R2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\bin\TNSLSNR.EXE [2006-2-2 204800]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]
R2 ReportServer$SQL2008EXPRESS;SQL Server Reporting Services (SQL2008EXPRESS);c:\program files\microsoft sql server\msrs10.sql2008express\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 1113448]
R2 ReportServer$SQL2008R2;SQL Server Reporting Services (SQL2008R2);c:\program files\microsoft sql server\msrs10_50.sql2008r2\reporting services\reportserver\bin\ReportingServicesService.exe [2010-4-3 1177952]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\mssql.3\reporting services\reportserver\bin\ReportingServicesService.exe [2010-12-10 13664]
R2 SLAgent55;SLAgent55;c:\program files\datadirect\slserver55\bin\swagent.exe [2007-6-5 757829]
R2 SLSocket55;SLSocket55;c:\program files\datadirect\slserver55\bin\swstrtr.exe [2007-6-5 118853]
R3 pmxscan;USB Flatbed Scanner Driver;c:\windows\system32\drivers\usbscan.sys [2010-7-17 11056]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-25 136176]
S2 MSOLAP$SQL2008R2;SQL Server Analysis Services (SQL2008R2);c:\program files\microsoft sql server\msas10_50.sql2008r2\olap\bin\msmdsrv.exe [2010-4-3 25768800]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-25 136176]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-6-23 9216]
S3 MfeAVFK;McAfee Inc. MfeAVFK;c:\windows\system32\drivers\mfeavfk.sys [2009-6-29 79816]
S3 MfeBOPK;McAfee Inc. MfeBOPK;c:\windows\system32\drivers\mfebopk.sys [2009-6-29 35272]
S3 MfeRKDK;McAfee Inc. MfeRKDK;c:\windows\system32\drivers\mferkdk.sys [2009-6-29 34248]
S3 MicroStrategy Distribution Manager;MicroStrategy Distribution Manager;c:\program files\microstrategy\narrowcast server\delivery engine\MCDM.EXE [2009-6-24 540672]
S3 MicroStrategy Execution Engine;MicroStrategy Execution Engine;c:\program files\microstrategy\narrowcast server\delivery engine\MCDE.EXE [2009-6-24 524288]
S3 MicroStrategy Logging Client;MicroStrategy Logging Client;c:\program files\microstrategy\narrowcast server\delivery engine\MCLogSvc.EXE [2009-6-24 286720]
S3 MicroStrategy Logging Consumer;MicroStrategy Logging Consumer;c:\program files\microstrategy\narrowcast server\delivery engine\MCLogCon.EXE [2009-6-24 102400]
S3 MicroStrategy Logging Server;MicroStrategy Logging Server;c:\program files\microstrategy\narrowcast server\delivery engine\MCLogSvc.EXE [2009-6-24 286720]
S3 MicroStrategy NC PDF Formatter;MicroStrategy NC PDF Formatter;c:\program files\microstrategy\narrowcast server\delivery engine\MCPDFWRP.EXE [2009-6-24 249856]
S3 MicroStrategy SMTP Service;MicroStrategy SMTP Service;c:\program files\microstrategy\narrowcast server\delivery engine\MCSMTPSv.EXE [2009-6-24 454656]
S3 MicroStrategy System Monitor;MicroStrategy System Monitor;c:\program files\microstrategy\narrowcast server\delivery engine\MCMemUsg.EXE [2009-6-24 12288]
S3 SQLAgent$SQL2008R2;SQL Server Agent (SQL2008R2);c:\program files\microsoft sql server\mssql10_50.sql2008r2\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLFDLauncher$SQL2008EXPRESS;SQL Full-text Filter Daemon Launcher (SQL2008EXPRESS);c:\program files\microsoft sql server\mssql10.sql2008express\mssql\binn\fdlauncher.exe [2008-7-10 31256]
S4 MSSQLFDLauncher$SQL2008R2;SQL Full-text Filter Daemon Launcher (SQL2008R2);c:\program files\microsoft sql server\mssql10_50.sql2008r2\mssql\binn\fdlauncher.exe [2010-4-3 28512]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe xe --> c:\oraclexe\app\oracle\product\10.2.0\server\bin\extjob.exe XE [?]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQL2008EXPRESS;SQL Server Agent (SQL2008EXPRESS);c:\program files\microsoft sql server\mssql10.sql2008express\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-06-07 16:21:46 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52b17ede-6fde-4cb8-a2a3-789fd33b60b8}\MpKsl9a94fbca.sys
2011-06-07 16:20:45 6962000 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{52b17ede-6fde-4cb8-a2a3-789fd33b60b8}\mpengine.dll
2011-06-06 17:06:40 -------- d-----w- c:\program files\martin
2011-06-06 17:06:00 7734240 ----a-w- C:\martin.exe
2011-06-06 15:25:25 4224 ----a-w- c:\windows\system32\beep.sys
2011-05-18 16:04:45 -------- d-----w- c:\documents and settings\martin\application data\Microsoft Corporation
.
==================== Find3M ====================
.
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 13:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
.
============= FINISH: 11:25:48.73 ===============


====================================================================================================================

MBAM LOG
====================================================================================================================
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6788

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

07/06/2011 07:38:55
mbam-log-2011-06-07 (07-38-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 498378
Time elapsed: 4 hour(s), 40 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VyuAmrmEfIELC (Trojan.FakeMS) -> Value: VyuAmrmEfIELC -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\vyuamrmefielc.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\16375588.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP711\A0097986.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\program files\microsoft sdks\Windows\v7.0A\bin\ctrpp.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

Attached Files


Edited by bventure, 08 June 2011 - 04:17 PM.


BC AdBot (Login to Remove)

 


#2 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 17 June 2011 - 08:29 AM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:

Best Regards,
oneof4.


#3 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 18 June 2011 - 11:19 AM

Yes, oneof4, I'm here. Sorry it's taken a while to get back to you, I work away a fair bit and often won't see emails for a couple of days, but I will always respond.

Thanks for your assistance. It is really appreciated.
Martin

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 20 June 2011 - 06:32 AM

Hey bventure, :)

Sorry for the delay getting back to you. It's been a very busy weekend for me. Give me a little while to present my proposed fix to one of the Malware Response Team Leaders for their approval, and I'll get something to you ASAP. :thumbup2:

Best Regards,
oneof4.


#5 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 20 June 2011 - 07:10 AM

No problem, I know what it's like, and as I said I greatly appreciate your efforts on my behalf.

I'm not around Thursday/Friday, so if there's a delay in my response to you that'll be why. Just so you know, the affected laptop has it's wireless disabled (by me) since the incident, so I'm using an old desktop in the meantime. The laptop seems to be working OK (except of course still no optical drive etc.). I mainly use it for SQL Server & .NET development.

Best wishes
Martin

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 22 June 2011 - 09:07 AM

Hello bventure, :)


Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
  • Double click on ComboFix.exe & follow the prompts.
The Recovery Console step that follows does not apply to Vista or Windows 7

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now

Best Regards,
oneof4.


#7 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 22 June 2011 - 12:46 PM

Hi oneof4. Thanks for your help. I have run combofix and everything went as per your instructions (including installation of Windows Recovery Console). It did not ask for reboot at finish.

The log is attached. I've had a look through it and, while I don't pretend to understand much of it, I recognise most. The only worrying part I could spot is...

--- Other Services/Drivers In Memory ---
*NewlyCreated* - 72303570
*NewlyCreated* - MPKSL44BCC578
*Deregistered* - 72303570


... which looked suspicious to me.

As to how the machine is running, no change really, it was apparently running OK before, after Malwarebytes etc., but I still havent enabled the wireless acrd (except briefly to allow combofix to downlod recovery console). The only visible problems are (copied/pasted from my original post):
• All shortcuts have been deleted from C:\Documents and Settings\All Users\Start Menu\Programs. I have to go through replacing them manually. I copied most from another computer, but still have a few awkward ones to sort out.
• When trying to repair SQL Server 2008 as part of the above, I discovered I couldn’t open the CD drive. I assume the virus has disabled this, and I haven’t found a way of re-enabling it yet. Event viewer says (source ‘atapi’) - The device, \Device\Ide\IdePort1, did not respond within the timeout period.


I'm assuming these were actions taken by the virus when I was first infected (along with disabling task manager, hiding files etc.) and won't be restored to health simply by removing the virus. I can rebuild the shortcuts OK, but have no idea how to get the DVD driev working again.

Best wishes
Martin

Attached Files



#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 24 June 2011 - 11:05 PM

Hey bventure :)

Could you please copy and paste the following file into your next reply: c:\qoobox\quarantine\combofix-quarantined-files.txt

I need to look for some "clues" that may be in that file.

Best Regards,
oneof4.


#9 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 25 June 2011 - 04:56 AM

Hi there. File is attached. Checking again I may have misled you on previous post, or it may be that something sorted itself out on a reboot after combofix (combofix didn't ask for one, but it downloaded some windows updates while downloading recovery console, and these triggereded a reboot after installation). I can now open & close the DVD drive (after first opening it manually via the emegency hole), and somehow all my missing start menu links are now back. It was seeing that the attached file consisted mainly of these that prompted me to recheck. Everything is now apparently back to normal, but I'm not conviced that it really is. I still haven't dared re-enable the wireless card and use the browser. What do you think? Give it a try?

Thanks
Martin

Attached Files



#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 27 June 2011 - 06:32 AM

Hello bventure :)

Going over your logs I noticed that you have uTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

==========

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Microsoft: ‘Unprecedented Wave of Java Exploitation’
Drive-by Trojan preying on out-of-date Java installations
Ghosts of Java Haunt UsersPlease follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows" (32-bit) or "Windows x64" (64-bit).
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "I agree to the Java SE...License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u26-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.

==========

Your version of Adobe Reader is also out-of-date. Please go here, and download / install the latest version.

==========

Finally, open MBAM, update it, then run a "Full Scan". Post the results of the MBAM scan in your next reply.

Best Regards,
oneof4.


#11 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 27 June 2011 - 09:08 AM

Hi oneof4, an thanks again. Some preliminary noteson your comments, I'll reply later with MBAM log.

1. uTorrent. I use this exclusively to download music from www.dimeadozen.org. This I guarantee you is 100% safe and everything on it is 100% legal. I have a separate desktop just for downlaoding from this site, and in 5 years daily usage have never had a problem. I'll remove it from the affected machine, not needed or used on this one.

2. Java - I intend to uninstall this. From the SecurtyEssentials events it looks like this was probably the way in. I'm also pretty sure the source of the infection was actually stevex (blogDOTstevexDOTnet) - an apparently innocuous software blog which looks like it's anything but safe! This was I think via stackoverflow, an innocent site afaik. There was a reason I had an old version of java (I won't bore you with that), but I will definitely remove it. If I have anything that needs java I will try to do without it.

3. Adobe - will update

4. Updated & ran Malwarebytes full scan after combofix and it reported all clear. I'll kick it off again overnight (took 10 hours last time!) and send the log.

Thanks again
Martin

#12 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 28 June 2011 - 04:13 PM

OK oneof4, I've run Malwarebytes again. It says all clear, log is attached. :thumbup2:

The only thing that concerns me slightly is how long it is taking. I'm sure it used to run much more quickly than this. However, the machine seems to be working as normal as far as I can tell, but I still haven't switched the wireless card back on until you give the all clear.

Thanks
Martin

Attached Files



#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:27 PM

Posted 29 June 2011 - 01:37 PM

Hey bventure :)

Yes, go ahead and re-activate your wireless card, then perform the following:

The only thing that concerns me slightly is how long it is taking. I'm sure it used to run much more quickly than this

To speed up things, you can try to disable unnecessary startup items with StartupLite

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

==========

Finally,

Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

Things I need to see in your next reply:

  • ESET Log
  • DDS Log
  • How are things running now?

Best Regards,
oneof4.


#14 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 July 2011 - 05:35 AM

Hi oneof4 :)

Quick note to let you know I haven't gone missing.

ESET is running, but may be a while yet. It has been running for 18 hours now and is at 75% - speeded up somewhat, when I looked last night it was at 10% after 7 hours! So far all clear. I'll get back to you as soon as I have some results

Best
Martin

#15 bventure

bventure
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:01:27 AM

Posted 03 July 2011 - 05:46 PM

Hi oneof4, here's an update for you.

First of all, ESET finally finished (26 hrs!) and reported no threats found, hence no log to send you (it didn't offer the option).

The 2 DDS logs are attched.

Machine seems to be running OK, but I can't shake the nagging feeling it's slower than it was before the virus, maybe that's just paranoia. You'll see DDS took 7 minutes to run rather than the promised 3.

I'm cautiously hopeful things might be OK now, but still very wary. :unsure:

Amyway, here is the DDS log. The DDS attach & ESET final screenshot are attached.

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by martin at 20:49:25 on 2011-07-03
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\Program Files\IBM\SQLLIB\bin\db2dasrrm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IBM\SQLLIB\bin\db2dasstm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSAS10_50.SQL2008R2\OLAP\bin\msmdsrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQL2008EXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQL2008R2\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\DataDirect\slserver55\bin\swagent.exe
C:\Program Files\DataDirect\slserver55\bin\swstrtr.exe
C:\Program Files\DataDirect\slserver55\bin\swsocw.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\WINDOWS\system32\KADxMain.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\IBM\SQLLIB\BIN\db2systray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\AceBIT\WISE-FTP 6\wf_tp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\MicroStrategy\MASvcMgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\SQLServer2008R2-KB2494088-x86.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\martin\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=h3lg2RzgLeadPb8HrEvsiP50OTQ
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\program files\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [WISE-FTP Task Planner] "c:\program files\acebit\wise-ftp 6\wf_tp.exe" /bg
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [db2systray.exe DB2] c:\program files\ibm\sqllib\bin\db2systray.exe DB2
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: principality.co.uk\remote
Trusted Zone: windowsupdate.com\download
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233361203343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://fasthosts-events.webex.com/client/T27LB/nbr/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpnuk.mfglobal.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpnuk.mfglobal.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\martin\application data\mozilla\firefox\profiles\kyyhm29i.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=ConduitEngine&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? MAEMETLS;MicroStrategy Enterprise Manager Data Loader
R? MAPing;MicroStrategy Listener
R? massfilter;ZTE Mass Storage Filter Driver
R? MfeAVFK;McAfee Inc. MfeAVFK
R? MfeBOPK;McAfee Inc. MfeBOPK
R? MfeRKDK;McAfee Inc. MfeRKDK
R? MicroStrategy Distribution Manager;MicroStrategy Distribution Manager
R? MicroStrategy Execution Engine;MicroStrategy Execution Engine
R? MicroStrategy Intelligence Server;MicroStrategy Intelligence Server
R? MicroStrategy Logging Client;MicroStrategy Logging Client
R? MicroStrategy Logging Consumer;MicroStrategy Logging Consumer
R? MicroStrategy Logging Server;MicroStrategy Logging Server
R? MicroStrategy NC PDF Formatter;MicroStrategy NC PDF Formatter
R? MicroStrategy SMTP Service;MicroStrategy SMTP Service
R? MicroStrategy System Monitor;MicroStrategy System Monitor
R? MpKsl4e38f9e5;MpKsl4e38f9e5
R? MpKslcf0f3b65;MpKslcf0f3b65
R? MSSQLFDLauncher$SQL2008EXPRESS;SQL Full-text Filter Daemon Launcher (SQL2008EXPRESS)
R? MSSQLFDLauncher$SQL2008R2;SQL Full-text Filter Daemon Launcher (SQL2008R2)
R? MSSQLServerADHelper100;SQL Active Directory Helper Service
R? msvsmon80;Visual Studio 2005 Remote Debugger
R? OracleJobSchedulerXE;OracleJobSchedulerXE
R? OracleServiceXE;OracleServiceXE
R? OracleXETNSListener;OracleXETNSListener
R? pmxscan;USB Flatbed Scanner Driver
R? RapportIaso;RapportIaso
R? ReportServer$SQL2008EXPRESS;SQL Server Reporting Services (SQL2008EXPRESS)
R? ReportServer$SQL2008R2;SQL Server Reporting Services (SQL2008R2)
R? ReportServer;SQL Server Reporting Services (MSSQLSERVER)
R? RsFx0103;RsFx0103 Driver
R? RsFx0150;RsFx0150 Driver
R? SQLAgent$SQL2008EXPRESS;SQL Server Agent (SQL2008EXPRESS)
R? SQLAgent$SQL2008R2;SQL Server Agent (SQL2008R2)
R? VSPerfDrv90;Performance Tools Driver 9.0
R? WDC_SAM;WD SCSI Pass Thru driver
R? WinDefend;Windows Defender
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? BecHelperService;BecHelperService
S? ctxusbm;Citrix USB Monitor Driver
S? mfehidk;McAfee Inc. mfehidk
S? MpFilter;Microsoft Malware Protection Driver
S? MpKslef5df321;MpKslef5df321
S? MsDtsServer100;SQL Server Integration Services 10.0
S? MSOLAP$SQL2008R2;SQL Server Analysis Services (SQL2008R2)
S? MSSQL$SQL2008EXPRESS;SQL Server (SQL2008EXPRESS)
S? MSSQL$SQL2008R2;SQL Server (SQL2008R2)
S? RapportCerberus_26762;RapportCerberus_26762
S? RapportEI;RapportEI
S? RapportKELL;RapportKELL
S? RapportMgmtService;Rapport Management Service
S? RapportPG;RapportPG
S? SLAgent55;SLAgent55
S? SLSocket55;SLSocket55
.
=============== Created Last 30 ================
.
2011-07-03 19:48:53 -------- d-----w- C:\b0ce3b8b101c684489
2011-07-03 16:15:16 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e11bbf1-9f6b-403d-a08e-25e8349df3c2}\MpKslef5df321.sys
2011-07-03 16:09:21 7074640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5e11bbf1-9f6b-403d-a08e-25e8349df3c2}\mpengine.dll
2011-07-02 16:19:19 -------- d-----w- c:\program files\ESET
2011-06-25 10:00:08 7074640 ------w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{40708b90-2559-4006-8f47-3e9887bfbb7b}\mpengine.dll
2011-06-22 23:52:02 -------- d-----w- c:\windows\SQLTools9_KB2494120_ENU
2011-06-22 23:49:25 -------- d-----w- c:\windows\NS9_KB2494120_ENU
2011-06-22 23:42:00 -------- d-----w- c:\windows\RS9_KB2494120_ENU
2011-06-22 23:37:31 -------- d-----w- c:\windows\OLAP9_KB2494120_ENU
2011-06-22 23:21:27 -------- d-----w- c:\windows\SQL9_KB2494120_ENU
2011-06-22 21:53:38 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-22 16:18:46 -------- d-sha-r- C:\cmdcons
2011-06-22 16:10:57 98816 ----a-w- c:\windows\sed.exe
2011-06-22 16:10:57 518144 ----a-w- c:\windows\SWREG.exe
2011-06-22 16:10:57 256512 ----a-w- c:\windows\PEV.exe
2011-06-22 16:10:57 208896 ----a-w- c:\windows\MBR.exe
2011-06-09 14:30:12 -------- d-----w- c:\windows\pss
2011-06-08 15:48:15 -------- d-----w- c:\documents and settings\all users\application data\NVIDIA Corporation
2011-06-08 15:39:25 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-08 15:39:06 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-08 15:39:06 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-08 15:36:08 941160 ----a-w- c:\windows\system32\nvdispco322090.dll
2011-06-08 15:36:08 837736 ----a-w- c:\windows\system32\nvgenco322040.dll
2011-06-08 15:36:08 2916968 ----a-w- c:\windows\system32\nvcuvid.dll
2011-06-08 15:36:08 2251368 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-06-08 15:36:07 4980736 ----a-w- c:\windows\system32\nvcuda.dll
2011-06-08 15:36:05 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-06-08 15:36:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-06-08 15:35:16 2292678 ----a-w- c:\windows\system32\nvdata.bin
2011-06-08 15:34:12 -------- d-----w- c:\program files\NVIDIA Corporation
2011-06-08 15:32:19 -------- d-----w- C:\NVIDIA
2011-06-08 15:10:08 -------- d-----w- c:\program files\SystemRequirementsLab
2011-06-08 13:17:48 -------- d-----w- c:\windows\PIF
2011-06-06 17:06:40 -------- d-----w- c:\program files\martin
2011-06-06 17:06:00 7734240 ----a-w- C:\martin.exe
2011-06-06 15:25:25 4224 ----a-w- c:\windows\system32\beep.sys
.
==================== Find3M ====================
.
2011-05-29 08:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 08:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-24 18:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-28 13:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
============= FINISH: 20:56:02.62 ===============


Thanks
Martin (bventure)

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users