Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Whistler@MBR


  • This topic is locked This topic is locked
38 replies to this topic

#1 Air Hammer

Air Hammer

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 19 September 2011 - 11:11 PM

Hi there. I joined yesterday and listed in full detail what I've been going through the last month or so in this topic http://www.bleepingcomputer.com/forums/topic419541.html

My original post:

I've had this computer since February 2009. A friend put it together for me. I have no XP disc. It came with Symantec Antivirus installed. The auto-protect appears to be enabled, and it is locked. I cannot perform Live Update, so I'm stuck with a 3 year old version. The Virus Protection setting in my security center is set to Off. How do I change it to On?

Other programs I have used in this time include Superantispyware, and Malwarebytes.

Now for the main problems.

In the past while doing scans with Superantispyware, one of the "threats" it detected was a Broken File Association. The computer was working fine so I wasn't sure what the problem was. Fixing it did nothing, but it would be detected every time I scanned. About a month ago I did an update and the program received a new version. All new look, etc... I did a scan and the BrokenFile was there again. I once again got rid of it thinking nothing would happen yet again. I even thought of sending a message of a false positive, but didn't. Anyway the result started my problems.

Later that day while on DeviantArt I went to full view a picture and got a pop-up that "Windows cannot open this file: jqsnotify.exe". I looked up the problem and some said they got similar messages when opening their browsers. So I closed Firefox, opened it again, and got the message "Windows cannot open this file: firefox.exe". All the programs were like that. They were opening, but I always got the messages. So I did some searching and wound up downloading ExeHelper. It solved the problem, but only temporarily as with my next boot up some icons weren't appearing and the messages were back. I found another program called exefix_xp, but it does the same thing. Do I have a registry error? Why are the fixes only temporary?

Next problem began just 2 days ago. I think it's related. I was hooking up my camera via usb to upload some pictures. Turning it on in the usual way I was expecting to see options on how to view the pictures as I always do. This did not appear. Going to My Computer and clicking on it manually I get the message "The disk in drive f is not formatted. Would you like to format it now?" The SD card in the camera is just fine. I even hooked up my card reader and used the SD Micro from my cell phone. Same result.

From there I went searching for solutions but came up empty. I did a full scan with Superantispyware, and just found tracking cookies. I did a full scan with Malwarebytes, and found nothing. I did a disc clean up on both drives C and D, and defragmented both. I downloaded and ran CCleaner. It found and removed nearly 1GB of crap from my system. Did a scan and fix of the registry. Restarted the computer and...no change. So I went to a forum I frequent and asked questions.

Today when booting up the computer I got a new one. "Windows cannot open this file: mbamgui.exe" Hitting cancel the computer completed start up and I continued on with my search.

Back at the forum some recommended I use Spybot. Well I downloaded it, scanned, and found a Trojan which I then wiped out. It also detected my downed virus protection. So as of the following restart I now get a pop-up in my system tray regarding my security center (and the mbamgui.exe message is gone). Yet still no change. The last person to reply to me over there recommended I come here, so here I am.

So I have to ask, what the "bleep" is wrong? Thank you! :)

Also, I tend to wonder if downloading these various programs to scan and such is really just making my hole even deeper to get out of.


Orange Blossom suggested I follow the steps needed to create some logs which I will post here now.

Here is the DDS.txt. The attach.txt and ark.txt are included.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Air Hammer at 16:24:45 on 2011-09-19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.522 [GMT -7:00]
.
AV: Defense Center *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar =
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [{20B4B7A2-DED4-D17D-B954-D9B9E7ADA81F}] "c:\documents and settings\air hammer\application data\ubo\yxqaebi.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PlusService] c:\program files\yuna software\messenger plus!\PlusService.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
dPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
dPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\documents and settings\air hammer\desktop\PartyPoker.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127257020515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129742932062
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://kryten.secure.scrd.bc.ca/tsweb/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{50620F02-D0E4-4D86-B18D-48F9CB72DA35} : DhcpNameServer = 192.168.16.245
TCP: Interfaces\{6E8B3B42-F9C8-43DA-8792-BFC9BE62A474} : DhcpNameServer = 192.168.16.245
TCP: Interfaces\{F04409F1-4617-4B69-B4A5-9388A13E44A6} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\air hammer\application data\mozilla\firefox\profiles\pbd047e0.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - Ext: Text-to-Image: {f701c26a-479a-4724-b4f1-870db12f063c} - %profile%\extensions\{f701c26a-479a-4724-b4f1-870db12f063c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {972E9D60-CFA2-44B1-B039-4FFC2BB8973A} - c:\documents and settings\air hammer\local settings\application data\{972E9D60-CFA2-44B1-B039-4FFC2BB8973A}
FF - Ext: XULRunner: {15A72425-D62E-4CE3-836D-0DB30A859236} - c:\documents and settings\air hammer\local settings\application data\{15A72425-D62E-4CE3-836D-0DB30A859236}
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-1-15 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 67664]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-1 116608]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2004-5-8 9728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-4-3 109616]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20080610.017\naveng.sys [2008-6-10 89936]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20080610.017\navex15.sys [2008-6-10 856336]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-17 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-17 136176]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 12872]
S4 ipfvuhnm;ipfvuhnm;c:\windows\system32\drivers\gthmojsm.sys [2010-7-9 54016]
S4 vsdatant;vsdatant;a --> a [?]
.
=============== Created Last 30 ================
.
2011-09-19 19:28:21 -------- d-----w- c:\documents and settings\air hammer\application data\Ubo
2011-09-19 19:28:21 -------- d-----w- c:\documents and settings\air hammer\application data\Omciv
2011-09-19 04:54:13 574976 ----a-w- c:\windows\system32\ntfs.sys
2011-09-18 21:14:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-09-18 21:14:41 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-09-18 02:07:26 -------- d-----w- c:\program files\LSoft Technologies
2011-09-17 07:29:42 -------- d-----w- c:\program files\CCleaner
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-10 18:54:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-10 07:50:05 0 ----a-w- c:\windows\Qtibutuxunak.bin
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntoskrnl.exe >>UNKNOWN [0x89D73A0A]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A2B4AB8]
\Driver\Disk[0x8A2BA8A0] -> IRP_MJ_READ -> 0x89D73A0A
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 16:27:41.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 20 September 2011 - 09:31 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (BitComet) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 September 2011 - 04:49 PM

Hi, thanks for getting back to me.

I removed BitComet per your request. I downloaded ComboFix. It downloaded the recovery console. The ComboFix log is attached.

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 21 September 2011 - 09:12 PM

Air Hammer:

Please do this next:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 21 September 2011 - 11:23 PM

Okay, done. The TDSSKiller log is attached.

The scan found the Whistler under "malicious" with the option cure beside it. It also found under "suspicious" Rootkit.Win32.BackBoot.gen which did not have the cure option so I left it at skip.

Attached Files



#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 23 September 2011 - 09:27 AM

I see you have two hard drives on this PC. Are they both bootable?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 23 September 2011 - 02:02 PM

I see you have two hard drives on this PC. Are they both bootable?


One is my C drive, the other is my D drive. I'm not exactly sure what "bootable" means in this case but I believe the answer to your question is yes.

C contains...well, everything C should have.
D contains my My Documents folder, and 3 other folders.

Edited by Air Hammer, 23 September 2011 - 02:02 PM.


#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 25 September 2011 - 01:58 PM

Air Hammer:

So you only have one operating system which is on c:\ and d:\ is strictly storgage. Is that correct? Please do this next:

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • aswMBR log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 25 September 2011 - 06:19 PM

Yes my c:\ has all my systems and programs, and my d:\ is for storage, correct.

aswMBR scan completed. Log is attached.

MBAM updated and scan completed. It found 8 entries. I had one for C:\System Volume Information, and one for C:\Qoobox. I unchecked both as instructed.

Here is the MBAM log.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7797

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/25/2011 4:11:46 PM
mbam-log-2011-09-25 (16-11-46).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 327133
Time elapsed: 1 hour(s), 18 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{20B4B7A2-DED4-D17D-B954-D9B9E7ADA81F} (Spyware.Passwords.XGen) -> Value: {20B4B7A2-DED4-D17D-B954-D9B9E7ADA81F} -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\air hammer\application data\Ciu\kaufar.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\air hammer\application data\Sun\Java\deployment\cache\6.0\23\32701a17-243ac880 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\air hammer\application data\Sun\Java\deployment\cache\6.0\51\611b0033-7e639106 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\air hammer\application data\Sun\Java\deployment\cache\6.0\9\7a8bfe49-5555446f (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\documents and settings\air hammer\application data\Yvcitu\piased.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\air hammer\application data\Ubo\yxqaebi.exe.vir (Spyware.Passwords.XGen) -> Not selected for removal.
c:\system volume information\_restore{235f42dc-266a-4dbe-b431-1af4564a009c}\RP1\A0000035.exe (Spyware.Passwords.XGen) -> Not selected for removal.

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 25 September 2011 - 07:51 PM

Air Hammer:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is your computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 26 September 2011 - 02:12 AM

How is my computer running? Well for starters whatever we've eliminated thus far has allowed the computer to recognize what I plug in to my usb ports again (camera, card reader). Can't tell if it has gotten any faster...maybe it has, a little. I still have the .exe issue, which again I assume is a registry error that needs fixing. I'm still using exefix_xp to fix it temporarily. I get a Windows security alert after the computer loads. Saying my Symantec is out of date, check security center, etc. My virus protection now says Out of Date instead of Off. I was getting a pop up sometimes about my security asking me if I wish to block Windows Explorer.

I did everything you listed for Java.

The ESET scan is complete. One of the options I saw which you did not list was Scan Archives, which was already unticked. I left it that way. Scan found 3 threats. Here is the log.

C:\Qoobox\Quarantine\C\Documents and Settings\Air Hammer\Application Data\Ubo\yxqaebi.exe.vir a variant of Win32/Kryptik.SZY trojan
C:\System Volume Information\_restore{235F42DC-266A-4DBE-B431-1AF4564A009C}\RP1\A0000035.exe a variant of Win32/Kryptik.SZY trojan
C:\System Volume Information\_restore{235F42DC-266A-4DBE-B431-1AF4564A009C}\RP4\A0000645.exe Win32/Spy.Zbot.YW trojan

Edited by Air Hammer, 26 September 2011 - 02:13 AM.


#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 26 September 2011 - 09:07 PM

Air Hammer:

I need a little more information from you:

1. Exactly what error message are you getting that is resolved by running exefix_xp?
2. Are you able to update your antivirus?
3. Did you scan both your hard drives with the ESET scanner?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 27 September 2011 - 08:00 PM

To best explain this I will document through pictures. (I apologize if they are too large)

Posted Image

As you can see once my computer has started up the icons in my quick launch do not appear. Also note the pop-up in my system tray in regards to your second question.

Now let's say I want to open Firefox, and I get this.

Posted Image

Whether it's Firefox, Photoshop, Symantec, MBAM, Spybot, MSN, or my media player, they all bring up the same. Oddly enough only IE opens without the .exe message.

Now using either exefix_xp or exeHelper fixes this, and the programs will open without fault. The icons in the system tray will eventually return as well. I was under the impression when I downloaded these programs that the fix would be permanent, but it is only temporary as the problem returns every time I start up. As I explained in my first original post, this all began after I cleaned a Broken File Association "threat" that my newly updated SuperAntiSpyware found.

Now as for your other questions. No I cannot update my antivirus. This computer came with Symantec installed. While 'Enable Auto-Protect' is checked off and presumably running, it is locked. Even though I am the sole user of this computer and thus said administrator, I cannot unlock it. Clicking on Live Update does nothing.

As for the ESET scanner, yes I did scan both drives. Double checking I did not originally see the option for what systems to scan. I see it now under 'Current Scan Targets', and already selected are Operating Memory, c:\ and d:\, so yes both were definitely scanned.

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 PM

Posted 27 September 2011 - 08:26 PM

Air Hammer:

I see the problem now - do this:

Posted Image Disable Spybot S&D's TeaTimer
  • Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
  • On the left hand side, click on Tools, then click on the Resident Icon in the list.
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • Click on the "System Startup" icon in the List
  • Uncheck the "TeaTimer" box and "OK" any prompts.
  • If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
  • Exit Spybot S&D when done and reboot your computer.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.)

Now run exefix_xp again and let me know if the fix "stays" this time.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 Air Hammer

Air Hammer
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 27 September 2011 - 10:53 PM

Checking Spybot now, the Resident TeaTimer box was already unchecked, and I see no TeaTimer box in the System Startup section.

Trying to remember, did I disable it before doing one of the first scans you listed for me, and it remained that way?

What should I do now?

Edited by Air Hammer, 27 September 2011 - 10:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users