Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Data Recovery Rogue


  • This topic is locked This topic is locked
13 replies to this topic

#1 thetinderstick

thetinderstick

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 27 September 2011 - 04:25 PM

My comp got infected with the 'Data Recovery' rogue. My Windows explorer doesn't recognize my harddisc anymore. I get the typical data recovery error messages about the harddrive being infected etc.. my desktop turned black and is empty, and I can't get the internet to work. Tried the uninstall guide on this (wonderful!) forum, but when I tried to run the RKill program, it doesn't work. I tried all different versions available here many times, and I've tried it through Windows safe mode, but everytime the same thing happens:

I see the black screen flicker for a bit.. then I get a pop up messages saying: 'failed to install'. Then the black screen returns: 'preparing RKill' and then 'acces denied' en then Rkill starts searching for malware processes. After a few seconds it ends and I get the log saying no processes were terminated by RKill. What to do next? I hope someone can help!

Here's the DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Administrator at 20:21:53 on 2011-09-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.958.741 [GMT 2:00]
.
AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.nl/ig/dell?hl=nl&client=dell-row&channel=nl&ibd=6060927
uSearch Page = hxxp://www.google.nl/hws/sb/dell-row/nl/side.html?channel=nl
uSearch Bar = hxxp://www.google.nl/hws/sb/dell-row/nl/side.html?channel=nl
uDefault_Page_URL = www.google.nl/ig/dell?hl=nl&client=dell-row&channel=nl&ibd=6060927
mSearchAssistant = hxxp://www.google.nl/hws/sb/dell-row/nl/side.html?channel=nl
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\adobe acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar4.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar4.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Norton Ghost 10.0] "c:\program files\norton ghost\agent\GhostTray.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [BigDogPath] c:\windows\VM_STI.EXE Vimicro USB PC Camera (ZC0301PL)
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [PLFFAP] c:\windows\system32\HotfixQ0306270.exe
mRun: [U2PFD_PLUtil] c:\program files\corega\u2pfd_utility\PLBkMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [fssui] "c:\program files\windows live\family safety\fsui.exe" -autorun
mRun: [atwtusb] atwtusb.exe beta
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ZDWLan_Utility] c:\program files\wlan_software\zd1211b\ZDWLan.EXE
mRun: [AutoEJCD_0ACE20FF] c:\program files\autoinstall\zd1211b_auto_install_cd_only_gen_0ace20ff\AutoEJCD.EXE /VID=0ACE /PID=20FF
mRun: [RemoteAssist]
mRun: [UPC] "c:\program files\upc\bin\sprtcmd.exe" /P UPC
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Google Zoeken - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Woord vertalen in het Nederlands - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Gelijkwaardige pagina's - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Koppelingspagina's - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Opgeslagen momentopname van de pagina - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by107w.bay107.mail.live.com/mail/resources/MsnPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.bonnybphotography.com/auth/controls/IlosoftImageUpload.dll
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxp://www.hema.nl/site/xupload/XUpload.ocx
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxp://cache.hyves-static.net/statics/Aurigma/ImageUploader4.cab
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,c:\docume~1\bonny\locals~1\temp\24144681739mmx.dll c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R0 PLFF;USB Flash Disk Driver;c:\windows\system32\drivers\plff.sys [2007-3-14 7424]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [2009-12-4 7936]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [2008-4-16 22272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 298448]
S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2006-9-27 80640]
S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-12-13 198256]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-12-13 165488]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2008-12-19 55136]
S2 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-9-27 126976]
S2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-9-27 221184]
S2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-9-27 122368]
S2 RalinkRegistryWriter;Ralink Registry Writer;c:\program files\sitecom\common\RegistryWriter.exe [2009-10-29 69632]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-27 822424]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2009-10-3 20608]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-12-13 79472]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-9-27 245760]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-9-27 114464]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-10-29 695296]
S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [2009-10-3 500736]
.
=============== Created Last 30 ================
.
2011-09-24 10:15:54 343040 ---ha-w- c:\documents and settings\all users\application data\1kAlMiG2Kb7FzP.exe
2011-09-24 10:12:46 450560 ---ha-w- c:\documents and settings\all users\application data\jmMlCrGvCaouHP.exe
2011-09-09 09:12:05 602624 ---h--w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 15:55:21 5632 ---ha-w- c:\windows\system32\ptpusb.dll
2011-09-03 15:55:19 159232 ---ha-w- c:\windows\system32\ptpusd.dll
.
==================== Find3M ====================
.
2011-09-26 20:42:19 6216 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-09-26 20:42:18 88 --sh--r- c:\windows\system32\712520C78E.sys
2011-09-09 09:12:05 602624 ---ha-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ---ha-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 13:56:00 56 -csh--r- c:\windows\system32\8EC7202571.sys
.
============= FINISH: 20:23:08,39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 01 October 2011 - 07:42 PM

Hello and welcome to the forum. :welcome:

I apologize for the delay in responding to your request for help but it is very busy here and we can get overwhelmed at times.

If you have since resolved the original problem you were having, we would appreciate you letting us know.

If you still do need our help, please note the following:
  • While working we us, please refrain from running tools or applying updates other than those we suggest while we are cleaning your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please also include a clear description of the problems you're having.
  • After 5 days if your topic is not replied I will assume it has been abandoned and will close it.

Please be patient while I analyze your logs. All of my fixes are checked by higher level forum members before posting.

Thank you.

DR


#3 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 02 October 2011 - 04:44 AM

Hello! And thank you for responding.

The problem still exists :thumbdown: .
I noticed it's very busy on this board so a reply could take a bit longer.
Ok, I'll wait to see what your suggestions are!

#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 02 October 2011 - 08:06 AM

OK thetinderstick. Before we start, I should inform you of the following.

IMPORTANT NOTE: One or more of the identified infections includes a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:
What danger is presented be rootkits?

Rootkits and how to combat them

R00Tkit Analysis: What Is A Rootkit
If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

What Should I Do If I've Become A Victim Of Identity Theft?

Identity Theft Victims Guide - What to do
Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?

Help: I Got Hacked. Now What Do I Do?

Where to draw the line? When to recommend a format and reinstall?



We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:


Now Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable Security Programs

•Double click on ComboFix.exe & follow the prompts.

Notes: ComboFix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Posted Image

If running XP, Click on YES and allow the Recovery Console to install. If running Vista or 7, click on NO to continue the scanning for malware.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy/Paste in your next reply.

Notes:

1.Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. ComboFix disconnects your machine from the internet. The connection is automatically restored before ComboFix completes its run.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from ComboFix. Use copy/paste.

Also please describe how your computer behaves at the moment.



Thanks.

Dave

#5 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 02 October 2011 - 12:54 PM

Here's the Combofix log. Strangely, for some reason when I started the computer for the scan, all of my desktop icons were visible again. The desktop itself was still black. No clue why the icons are suddenly back again.

Also, the scan took long; about 90 minutes (I thought the scan had stalled) I got a few error messages of programs and files that failed to load, that disappeared quite quick. I got a message that Combofix was restarting Windows and after a while I got the log. Also Combofix had removed some files such as the 'data recovery' icon that was on my desktop.


ComboFix 11-10-02.01 - Bonny 02-10-2011 17:46:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.958.332 [GMT 2:00]
Gestart vanuit: c:\documents and settings\Bonny\Bureaublad\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\1kAlMiG2Kb7FzP.exe
c:\documents and settings\Bonny\0.9659734999648405.exe
c:\documents and settings\Bonny\Application Data\desktop.ini
c:\documents and settings\Bonny\Application Data\FW-910792754.exe
c:\documents and settings\Bonny\Application Data\ntuser.dat
c:\documents and settings\Bonny\Bureaublad\Data Recovery.lnk
c:\program files\google\common\google updater\googleupdaterservice.exe
C:\Recycle.Bin
c:\recycle.bin\Recycle.Bin.exe
C:\Thumbs.db
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
c:\windows\system32\geyekresfkqrwj.dat
c:\windows\system32\geyekroiltqxxh.dat
c:\windows\system32\HotFixQ0306270.exe
c:\windows\system32\Memman.vxd
c:\windows\system32\skinboxer43.dll
c:\windows\system32\UAChlxrjmsyqyaqolmwq.db
c:\windows\system32\UACrkrvyeggxyxvitltn.dat
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2011-09-02 to 2011-10-02 ))))))))))))))))))))))))))))))
.
.
2011-10-02 09:06 . 2011-10-02 09:06 -------- d-----r- c:\documents and settings\Bonny\Onlangs geopend
2011-09-27 17:45 . 2011-09-27 17:45 -------- d-----w- c:\documents and settings\Administrator
2011-09-09 09:12 . 2011-09-09 09:12 602624 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-03 15:55 . 2001-09-06 19:27 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-09-03 15:55 . 2008-04-14 17:02 159232 ----a-w- c:\windows\system32\ptpusd.dll
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2004-09-14 07:38 602624 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2006-09-27 14:04 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-09-14 07:38 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-09-03 22:25 . 2011-06-24 08:54 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-08-07 700416]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe beta" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
"nwiz"="nwiz.exe" [2006-08-23 1617920]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-23 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 282624]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 58992]
"Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 1537696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-10-24 206112]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-09-27 169984]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-11-09 110592]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"VirusScan Online"="c:\program files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 1005096]
"BigDogPath"="c:\windows\VM_STI.EXE" [2005-02-28 53248]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-06 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"U2PFD_PLUtil"="c:\program files\Corega\U2PFD_Utility\PLBkMon.exe" [2004-03-01 90112]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-02-06 454000]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"ZDWLan_Utility"="c:\program files\WLAN_Software\ZD1211B\ZDWLan.EXE" [2007-11-12 487424]
"AutoEJCD_0ACE20FF"="c:\program files\AutoInstall\ZD1211B_Auto_Install_CD_Only_Gen_0ACE20FF\AutoEJCD.EXE" [2009-10-03 40960]
"UPC"="c:\program files\UPC\bin\sprtcmd.exe" [2005-08-16 192512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-04 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2008-04-03 151552]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-12 623888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Bonny\Menu Start\Programma's\Opstarten\
Adobe Media Player.lnk - c:\program files\Adobe Media Player\Adobe Media Player.exe [N/A]
Mediacontrole Picture Motion Browser.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-12-15 344064]
Microsoft Office Snelzoeken.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-2-3 111376]
Office Opstarten.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-2-3 51984]
Yahoo! Widget Engine.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe [2006-5-23 1806336]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Adobe Acrobat Snelle start.lnk - c:\windows\Installer\{AC76BA86-1030-D700-7760-100000000002}\SC_Acrobat.exe [2007-1-16 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-27 7168]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
PC Clone EX.LNK - c:\program files\PcCloneEX\PcCloneEX.EXE [2009-12-4 5307392]
Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Common\RaUI.exe [2009-10-29 1630208]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-10-18 122880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Bittorrent\\bittorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13-9-2010 17:27 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7-9-2010 4:48 26064]
R0 PLFF;USB Flash Disk Driver;c:\windows\system32\drivers\plff.sys [14-3-2007 0:03 7424]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7-9-2010 4:49 298448]
R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [4-12-2009 22:31 7936]
S1 aiptektp;HyperPen;c:\windows\system32\drivers\aiptektp.sys [16-4-2008 21:09 22272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7-9-2010 4:48 249424]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19-8-2010 22:42 123472]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19-8-2010 22:42 30288]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7-7-2011 19:31 195336]
S3 ZD1211BU(Atheros);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(Atheros);c:\windows\system32\drivers\ZD1211BU.sys [3-10-2009 22:39 500736]
.
Inhoud van de 'Gedeelde Taken' map
.
2011-09-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
2011-10-02 c:\windows\Tasks\Scannen op virussen via McAfee.com - Mijn computer (BONNY-Bonny).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-09-27 16:18]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://luckypunkybonny.livejournal.com/friends/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = hxxp://www.google.nl/ig/dell?hl=nl&client=dell-row&channel=nl&ibd=6060927
uInternet Settings,ProxyOverride = *.local
IE: Converteren naar Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Converteren naar bestaand PDF-bestand - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Geselecteerde koppelingen converteren naar Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Geselecteerde koppelingen converteren naar bestaand PDF-bestand - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Koppelingdoel converteren naar Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Koppelingdoel converteren naar bestaand PDF-bestand - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Selectie converteren naar Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Selectie converteren naar bestaand PDF-bestand - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: DhcpNameServer = 62.179.104.196 213.46.228.196
DPF: {DC6FEBC5-0A2D-458A-A01B-5DB15EEC4305} - hxxp://webc.bonnybphotography.com/auth/controls/IlosoftImageUpload.dll
FF - ProfilePath - c:\documents and settings\Bonny\Application Data\Mozilla\Firefox\Profiles\7ff1grq9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://luckypunkybonny.livejournal.com/friends
FF - prefs.js: keyword.URL - hxxp://nl.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_nl&p=
.
- - - - ORPHANS VERWIJDERD - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Microsoft Firewall 2.9 - c:\documents and settings\Bonny\Application Data\FW-910792754.exe
HKCU-Run-4E3E0230AEBB4E96 - c:\recycle.bin\Recycle.Bin.exe
HKCU-Run-jmMlCrGvCaouHP.exe - c:\documents and settings\All Users\Application Data\jmMlCrGvCaouHP.exe
HKLM-Run-PLFFAP - c:\windows\system32\HotfixQ0306270.exe
HKLM-Run-RemoteAssist - (no file)
AddRemove-AVS4YOU Video Converter 6_is1 - g:\programmas\AVSVideoConverter6\unins000.exe
AddRemove-Easy Video Joiner_is1 - g:\programmas\Easy Video Joiner\unins000.exe
AddRemove-{14FA6DD9-92ED-493D-A937-81A78870E08A}_is1 - g:\programmas\Free Video Joiner\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-02 19:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'explorer.exe'(3528)
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Windows Live\Family Safety\fsssvc.exe
c:\windows\System32\GEARSec.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\OasClnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Sitecom\Common\RegistryWriter.exe
c:\program files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\windows\system32\atwtusb.exe
c:\windows\system32\rundll32.exe
c:\program files\Dell Network Assistant\ezi_hnm2.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\MsiExec.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\progra~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Voltooingstijd: 2011-10-02 19:22:58 - machine werd herstart
ComboFix-quarantined-files.txt 2011-10-02 17:22
.
Pre-Run: 60.048.306.176 bytes beschikbaar
Post-Run: 62.231.810.048 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
Current=4 Default=4 Failed=3 LastKnownGood=2 Sets=1,2,3,4
- - End Of File - - 454CBACF2044C9BAE398B8D8CFC3A09D

#6 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 03 October 2011 - 09:35 AM

Say thetinderstick, going over your logs I noticed that you have BitTorrent installed. :whistle:

•Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

•They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.

•Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.

•The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."
It is pretty much certain that if you continue to use P2P programs, you will get infected again.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.



Next, let's run an MBAM scan.
  • Launch Malwarebytes' Anti-Malware
  • Click on the Update tab
  • Then click Check for Updates.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

And please, tell me how your computer is running.

Dave

#7 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 03 October 2011 - 11:50 AM

Ok, I uninstalled Bittorrent. Haven't used it for a months anyway.

I did the Anti-Malware scan. Finally it worked! You can find the log below. I noticed it removed a file that I downloaded from this very site! (Rootkiller, which didn't run on my comp before).

Also, strangely: the comp tries to install Windows (??) and Roxio Media Manager all the time for some reason. I get pop-up screens that I just cancel.

I feel we're getting there though.. thanks! :thumbup2:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7856

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3-10-2011 18:43:59
mbam-log-2011-10-03 (18-43-59).txt

Scan type: Quick scan
Objects scanned: 209365
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\all users\application data\13462964 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\Bonny\application data\13158921 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\13462964\13462964 (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\Bonny\bureaublad\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#8 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 03 October 2011 - 03:36 PM

Hey thetinderstick!

Also, strangely: the comp tries to install Windows (??) and Roxio Media Manager all the time for some reason. I get pop-up screens that I just cancel.


Can you tell me more about this? Maybe include a screenshot if possible? And is that "Windows" as in the Operating System?

Thanks.

Dave

#9 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 03 October 2011 - 03:56 PM

Ok, take a look at the two screenshots attached (don't mind the desktop that's in need of cleaning up).

The first pop up screen says:
"Windows installer - preparing installation"

The second one says:
"the function you want to use is on a cd rom or on a drive that's not available"

When I click these screens away everything seems fine.

The desktop screen is also still black. BUT the internet is back on again and everything else seems to function normal :thumbsup:

Attached Files



#10 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 04 October 2011 - 06:27 AM

Hi thetinderstick! I think you are right. Good progress so far! :thumbup2:

Those errors appear related and are to do with your Roxio install.

I would suggest you either find the Roxio CD and allow it to do its thing or uninstall it and reinstall.



Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!


Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • This page should check your installed version and determine if you need an update.
  • Look for "JDK 6 Update 27 (JDK or JRE)" (may not be necessary if it does it automatically).
  • Click the "Download JRE".
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u27-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.


Now I'd like you to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Please also change your wallpaper. Let's make sure that works.

And tell me how your computer is running.


Thanks.

Dave

#11 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 05 October 2011 - 12:14 PM

Allright, I uninstalled Roxio (didn't even know I had it!), updated Adobe Reader and Java, and changed my wallpaper.
Everything worked fine!

Then I did the ESET scan. Here's the log:

C:\Documents and Settings\Bonny\Local Settings\Application Data\Mozilla\Firefox\Profiles\7ff1grq9.default\Cache(2)\0E0B67E4d01 PDF/Exploit.Gen trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\_Recycle.Bin_.exe.zip a variant of Win32/Kryptik.MUY trojan deleted - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\1kAlMiG2Kb7FzP.exe.vir Win32/Kryptik.TDV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Bonny\0.9659734999648405.exe.vir Win32/Kryptik.TDV trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Bonny\Application Data\FW-910792754.exe.vir a variant of Win32/Kryptik.MIC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{20FACB27-B213-45DF-B711-A07B77057628}\RP1022\A0236466.exe Win32/Kryptik.TDV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{20FACB27-B213-45DF-B711-A07B77057628}\RP1023\A0236532.exe Win32/Kryptik.TDV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{20FACB27-B213-45DF-B711-A07B77057628}\RP1023\A0236533.exe Win32/Kryptik.TDV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{20FACB27-B213-45DF-B711-A07B77057628}\RP1023\A0236534.exe a variant of Win32/Kryptik.MIC trojan cleaned by deleting - quarantined

#12 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:41 AM

Posted 05 October 2011 - 08:10 PM

Hi thetinderstick! You are ALL CLEAN! :thumbsup:

Click Start>Run on the taskbar and then type Combofix /uninstall.
This should start ComboFix running and uninstall it.



Please read the following, in order to prevent reinfecting your PC:

1.Install and update the following programs regularly:
  • an outbound firewall
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • an Anti-Spyware program
    Malware Byte's Anti Malware
    is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Spyware Blaster
    A tutorial for Spywareblaster can be found here. The commercial version provides automatic updating.
  • MVPs hosts file
    A tutorial for MVPs hosts file can be found here. For more information on the hosts file, and what it can do for you, please consult the Tutorial on the Hosts file
2.Keep Windows (and your other Microsoft software) up to date!
This is EXTREMELY important. Holes are often found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

3.Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure.

4.Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead.

Safe surfing! :thumbup2:

DR

Edited by elise025, 06 October 2011 - 05:37 AM.


#13 thetinderstick

thetinderstick
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:41 AM

Posted 06 October 2011 - 03:31 PM

Ok, done! We're back in business!
Thanks for all your help Dave, you're doing an amazing job helping people like me out!!

:dance: :busy: :thumbup2: :clapping: :thumbsup:

#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:41 AM

Posted 08 October 2011 - 04:49 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users