Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OpennCloud Virus - CANNOT CONNECT TO INTERNET


  • This topic is locked This topic is locked
51 replies to this topic

#1 AmyMc1

AmyMc1

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 11 October 2011 - 11:58 AM

Hello -

I have spent more time than I am willing to admit trying to fix my computer after finding the OpenCloud AntiVirus installed on my computer one day. I have run every antivirus, spyware removal tool recommended, Malwarebytes, Spyware Doctor, etc ... the tools either do not run or I get the message that there are no malicious files detected. I can boot the PC in safemode and run some of the tools and no longer can find any OpenCloud files however, I no longer have internet connectivity, it states my Windows Firewall cannot run and whenever I try to boot the computer in SafeMode with Networking, I get the dreaded bluescreen. I have followed the steps to restore my Windows Firewall,restart the computer and it is on then within 3 minutes or so, it is disabled, so there is obviously some other process or file I cannot find still infecting the computer. I also cannot do a system restore, nor install any "fix" programs.
I just ran ComboFix and it found RootKit.ZeroAccess ... not sure if that is the issue.

PLEASE HELP!!! :)

I am running Windows XP - Service Pack 3 on a Dell Inspiron 1520
I had Trend Micro Titanium Anti-virus which at this point I am NOT going to renew as I seem to get more viruses with it than without it.

BC AdBot (Login to Remove)

 


#2 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 12 October 2011 - 03:15 PM

Also, I now oddly have two Internet Connection icons in the Control panel.
And to the many others infected with this OpenCloud issue and advised to run Combofix, been there - done that, didn't work <_<

#3 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 13 October 2011 - 10:45 AM

I had recently found the virus OpenCloud on my machine and thought I successfully removed it.
However, I can no longer start Windows Firewall nor connect to the internet.
I have used the fix programs to start Windows Firewall, will reboot and it will be on then within 3 minutes it shuts down again.
I have done all I know to reset my IP to connect to the internet and that fails as well.
I am at my wits end with this, please help! :)

- Amy

Edited by Orange Blossom, 13 October 2011 - 12:04 PM.
Merged topics. ~ OB


#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:44 PM

Posted 13 October 2011 - 12:04 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the new topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 14 October 2011 - 11:40 AM

I followed everything from Step 6 in the requested guide and have attached the logs produced.
My computer still is not working correctly, and I have been using an alternate computer to access the internet and transfer the files via USB.

Any further advice, recommendations would be greatly appreciated!!!

Attached Files



#6 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 14 October 2011 - 10:44 PM

After becoming frustrated further, I did a re-installation of Windows (not clean, just a repair of the existing installation).
During the re-installation I received the error that the file S24TRANS.SYS could not be found, so I skipped it and went through with the installation, rebooted the machine and miraculously I was able to connect to the internet via an ethernet cable but, my wireless is still out ... says I do not have an adapter anymore and wouldn't you know it when I try to run any programs they once again ... CRASH!!!! I get message boxes that either a device is not functioning correctly or some other file error just as before. Incidentally it is only with anti-virus programs, so I have been running them from a USB drive.

I am guessing I still have an infected machine :(
Ran Combofix again and the log stated C:\windows\system32\kernel.dll is infected.
I ran TDSSKiller and it came back with nothing.
Now running Malwarebytes (updated) again .... running out of ideas.

Again, any help would be GREATLY appreciated!!! ":)

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 15 October 2011 - 03:20 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 15 October 2011 - 05:48 PM

Hello!

I ran Combofix as directed and below is the log produced. I still cannot run any anti-virus applications, such as the one I previously had installed (TrendMicro Titanium) or the new one that I was able to install (but, cannot run) System Mechanic Total Care. I receive error messages that a device to the system is not functioning, or the required module cannot be found, or there is an error in the module, etc.

I was able to get my LAN network back up via a Windows Re-installation without format however, my wireless is still on the fritz.

Any help you could provide would be very much appreciated!!! :)

Ok, apparently my post is too long with the log file pasted in so I will attach it and create a new post wih just the Combofix log. :huh:

I couldn't copy and paste the log file into the reply, it was too big so it is zipped and attached, let me know if you need anything else.

Attached Files


Edited by AmyMc1, 15 October 2011 - 05:50 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 15 October 2011 - 08:59 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
kernel32.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 15 October 2011 - 10:45 PM

Executed SystemLook below are the results from the log.

SystemLook 30.07.11 by jpshortstuff
Log created at 22:38 on 15/10/2011 by Amy
Administrator - Elevation successful

========== filefind ==========

Searching for "kernel32.dll"
C:\i386\kernel32.dll --a---- 984576 bytes [20:07 15/01/2008] [15:52 16/04/2007] A01F9CA902A88F7CED06884174D6419D
C:\WINDOWS\$hf_mig$\KB917422\SP2QFE\kernel32.dll --a---- 985088 bytes [22:31 07/01/2008] [10:57 05/07/2006] 0FDD84928A5DDE2510761B7EC76CCEC9
C:\WINDOWS\$hf_mig$\KB935839\SP2QFE\kernel32.dll --a---- 986112 bytes [22:33 07/01/2008] [16:07 16/04/2007] 09F7CB3687F86EDAA4CA081F7AB66C03
C:\WINDOWS\$hf_mig$\KB959426\SP3QFE\kernel32.dll --a---- 991744 bytes [13:59 21/03/2009] [13:59 21/03/2009] DA11D9D6ECBDF0F93436A4B7C13F7BEC
C:\WINDOWS\ERDNT\cache\kernel32.dll --a---- 983552 bytes [17:27 11/10/2011] [10:00 04/08/2004] 888190E31455FAD793312F8D087146EB
C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2gdr\kernel32.dll --a---- 986112 bytes [14:18 21/03/2009] [14:18 21/03/2009] B6ACAED7588295129791E0E6A2B0FADE
C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2qfe\kernel32.dll --a---- 989184 bytes [13:54 21/03/2009] [13:54 21/03/2009] 80202858D245FF07DAA1739C57A3E19B
C:\WINDOWS\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll --a---- 989696 bytes [14:06 21/03/2009] [14:06 21/03/2009] B921FB870C9AC0D509B2CCABBBBE95F3
C:\WINDOWS\system32\kernel32.dll --a---- 983552 bytes [10:00 04/08/2004] [10:00 04/08/2004] 888190E31455FAD793312F8D087146EB

-= EOF =-

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 15 October 2011 - 11:03 PM

I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 17 October 2011 - 09:00 AM

Below is the log after running ComboFix with the custom script.
I cannot enable or disbale my anti-virus it detected as stated before, it crashes or gives me an error when I try to open it.
It does not appear Combofix "fixed" anything ...



ComboFix 11-10-16.03 - Amy 10/17/2011 8:36.7.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2264 [GMT -5:00]
Running from: c:\documents and settings\Amy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\CFScript.txt
AV: System Shield *Enabled/Updated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-09-17 to 2011-10-17 )))))))))))))))))))))))))))))))
.
.
2011-10-15 03:23 . 2011-10-15 03:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 03:23 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 03:11 . 2011-10-15 03:11 -------- d-----w- c:\windows\LastGood
2011-10-15 02:06 . 2011-10-15 02:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\iolo
2011-10-15 02:00 . 2011-10-15 02:00 -------- d-----w- C:\iolo
2011-10-15 01:40 . 2011-01-21 17:33 1171776 ----a-r- c:\windows\system32\drivers\ampse.sys
2011-10-15 01:39 . 2011-01-21 17:33 138048 ----a-r- c:\windows\system32\drivers\amp.sys
2011-10-15 01:39 . 2011-10-15 01:39 -------- d-----w- c:\program files\Common Files\Authentium
2011-10-15 01:39 . 2011-10-15 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Authentium
2011-10-15 01:37 . 2009-12-02 20:30 118784 ----a-w- c:\windows\system32\iavlsp.dll
2011-10-15 01:37 . 2010-09-23 18:29 511328 ----a-w- c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2011-10-15 01:37 . 2011-08-08 19:18 2083464 ----a-w- c:\windows\system32\Incinerator32.dll
2011-10-15 01:37 . 2011-08-08 20:01 11776 ----a-w- c:\windows\system32\smrgdf.exe
2011-10-15 01:37 . 2011-08-08 20:01 29696 ----a-w- c:\windows\system32\iolobtdfg.exe
2011-10-15 01:37 . 2010-02-09 03:59 56200 ----a-w- c:\windows\system32\offreg.dll
2011-10-15 01:37 . 2011-10-15 01:37 -------- d-----w- c:\program files\iolo
2011-10-14 22:10 . 2004-08-04 10:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-10-14 22:10 . 2004-08-04 10:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-10-14 22:10 . 2004-08-04 10:00 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-10-14 22:10 . 2004-08-04 10:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-10-14 22:10 . 2004-08-04 10:00 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-10-14 22:08 . 2001-08-18 03:36 26112 -c--a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-10-14 22:07 . 2004-08-04 10:00 111104 -c--a-w- c:\windows\system32\dllcache\mtstocom.exe
2011-10-14 22:06 . 2004-08-04 10:00 9216 -c--a-w- c:\windows\system32\dllcache\kbdnecat.dll
2011-10-14 22:05 . 2004-08-04 10:00 39936 -c--a-w- c:\windows\system32\dllcache\hostmib.dll
2011-10-14 22:04 . 2004-08-04 10:00 480256 -c--a-w- c:\windows\system32\dllcache\cintsetp.exe
2011-10-14 22:03 . 2001-08-18 03:36 5632 -c--a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2011-10-14 22:03 . 2003-03-24 21:52 16384 -c--a-w- c:\windows\system32\dllcache\tcptsat.dll
2011-10-14 22:03 . 2003-03-24 21:52 32827 -c--a-w- c:\windows\system32\dllcache\tcptest.exe
2011-10-14 22:03 . 2003-03-24 21:52 20536 -c--a-w- c:\windows\system32\dllcache\shtml.dll
2011-10-14 22:03 . 2003-03-24 21:52 16437 -c--a-w- c:\windows\system32\dllcache\shtml.exe
2011-10-14 21:52 . 2004-08-04 10:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-10-14 21:52 . 2004-08-04 10:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-10-14 21:51 . 2004-08-04 10:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-10-14 21:51 . 2004-08-04 10:00 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-10-14 21:51 . 2004-08-04 10:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-10-14 21:51 . 2004-08-04 10:00 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-10-14 21:51 . 2004-08-04 10:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-10-14 21:51 . 2004-08-04 10:00 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-10-14 21:51 . 2004-08-04 10:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-10-14 21:51 . 2004-08-04 10:00 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-10-14 20:36 . 2004-08-04 10:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-10-14 20:36 . 2004-08-04 10:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-10-14 20:36 . 2004-08-04 10:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-10-14 20:36 . 2004-08-04 10:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-10-14 20:36 . 2006-03-30 10:03 22339 ----a-r- c:\windows\SET1A8.tmp
2011-10-14 20:36 . 2005-03-30 17:54 10559 ----a-r- c:\windows\SET1A9.tmp
2011-10-14 20:35 . 2004-08-04 10:00 13753 ----a-r- c:\windows\SET175.tmp
2011-10-14 20:35 . 2004-08-04 10:00 1086058 ----a-r- c:\windows\SET169.tmp
2011-10-14 20:35 . 2004-08-04 10:00 1042903 ----a-r- c:\windows\SET166.tmp
2011-10-14 15:20 . 2011-10-14 15:20 -------- d-----w- c:\windows\dell
2011-10-11 02:13 . 2011-10-11 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-10-10 22:00 . 2011-10-10 22:00 -------- d-----w- c:\windows\system32\vmm32
2011-10-06 00:47 . 2005-07-08 19:19 666 ----a-w- c:\windows\speed.reg
2011-09-30 02:10 . 2011-09-30 02:10 -------- d-----w- c:\documents and settings\Amy\Application Data\Malwarebytes
2011-09-30 01:45 . 2011-10-06 01:48 -------- d-----w- c:\documents and settings\Administrator.LAPTOP
2011-09-29 21:20 . 2011-09-29 21:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-29 20:30 . 2011-09-29 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-29 03:02 . 2011-09-29 03:02 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-09-29 02:25 . 2011-09-29 21:19 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ArcSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-15_03.06.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 19:03 . 2011-10-15 12:53 78479 c:\windows\pchealth\helpctr\OfflineCache\index.dat
- 2004-08-10 19:03 . 2011-10-13 01:30 78479 c:\windows\pchealth\helpctr\OfflineCache\index.dat
+ 2004-08-10 19:03 . 2011-10-15 12:53 4626 c:\windows\pchealth\helpctr\PackageStore\SkuStore.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-07 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"SPIRun"="SPIRun.dll" [2006-11-30 8704]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-10 405504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\Amy\Start Menu\Programs\Startup\
Ovulation Calendar.lnk - c:\program files\Ovulation Calendar\OVUCAL.EXE [2004-8-9 377856]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-7 50688]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-11-13 805392]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileSharing"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 08:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\EventSystem]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseamps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vsedsps]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vseqrts]
@="Service"
path=
backup=
backupExtension=Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VersionTrackerPro.lnk]
backup=c:\windows\pss\VersionTrackerPro.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Amy^Start Menu^Programs^Startup^..]
path=c:\documents and settings\Amy\Start Menu\Programs\Startup\..
.
[HKLM\~\startupfolder\C:^Documents and Settings^Amy^Start Menu^Programs^Startup^scandisk.lnk]
backup=c:\windows\pss\scandisk.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MyWebSearchService"=2 (0x2)
"MBAMService"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\iolo\\System Mechanic PC TotalCare\\SysMech.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
.
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 AMP;Active Malware Protection Minifilter Driver;c:\windows\system32\drivers\amp.sys [10/14/2011 8:39 PM 138048]
R2 AMPSE;Active Malware Protection Support Driver;c:\windows\system32\drivers\ampse.sys [10/14/2011 8:40 PM 1171776]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 vseamps;vseamps;c:\program files\Common Files\Authentium\AntiVirus5\vseamps.exe [1/21/2011 12:25 PM 97088]
R2 vsedsps;vsedsps;c:\program files\Common Files\Authentium\AntiVirus5\vsedsps.exe [1/21/2011 12:26 PM 97088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 9:01 AM 135664]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [10/14/2011 8:37 PM 722616]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 9:01 AM 135664]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 QZVWSY;QZVWSY;c:\docume~1\Amy\LOCALS~1\Temp\QZVWSY.exe --> c:\docume~1\Amy\LOCALS~1\Temp\QZVWSY.exe [?]
S3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [1/15/2008 7:18 PM 735744]
S3 t3filt;t3filt;c:\windows\system32\drivers\t3filt.sys [1/15/2008 7:18 PM 1656960]
S3 vseqrts;vseqrts;c:\program files\Common Files\Authentium\AntiVirus5\vseqrts.exe [1/21/2011 12:26 PM 142144]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 85803492
*Deregistered* - 85803492
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 14:01]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-19 14:01]
.
2011-10-16 c:\windows\Tasks\Roxio PhotoShow Updater.job
- c:\program files\Roxio\PhotoShow\auto_updater_shim.exe [2010-12-02 01:52]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/&s=S88i1IByBPHp7m16VdflEv-ODdk
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: Read EXIF - c:\program files\ArcSoft\RAW Thumbnail Viewer\ArcEXIFM.htm
LSP: c:\windows\system32\iavlsp.dll
Trusted Zone: honeywell.com
Trusted Zone: mobilespy.com\www
Trusted Zone: mobilespylogs.com\www
Trusted Zone: turbotax.com
Trusted Zone: windowsupdate.com
TCP: DhcpNameServer = 192.168.0.1
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 08:47
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-561238910-1841606647-4101923182-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-561238910-1841606647-4101923182-1006\Software\SecuROM\License information*]
"datasecu"=hex:4a,00,d6,cd,2f,5a,09,9d,31,9e,17,90,f1,2b,6f,d3,fd,30,b9,88,33,
83,09,cc,65,63,6e,74,af,26,07,cd,38,69,45,39,7f,c4,1a,f5,6c,e3,38,8d,48,e8,\
"rkeysecu"=hex:a7,cd,ef,bf,dc,4c,51,32,f5,e9,02,c9,70,fa,8c,38
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\iavlsp.dll
.
- - - - - - - > 'explorer.exe'(2144)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-17 08:56:47
ComboFix-quarantined-files.txt 2011-10-17 13:56
ComboFix2.txt 2011-10-15 03:17
ComboFix3.txt 2011-10-13 15:54
ComboFix4.txt 2011-10-12 02:33
ComboFix5.txt 2011-10-17 13:35
.
Pre-Run: 168,737,812,480 bytes free
Post-Run: 168,791,863,296 bytes free
.
- - End Of File - - 240797689789FD1D4DC5A0CA0C958235

Edited by AmyMc1, 17 October 2011 - 09:02 AM.


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 17 October 2011 - 09:06 AM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 AmyMc1

AmyMc1
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:44 PM

Posted 17 October 2011 - 10:54 AM

Hello -

Below is the log produced.
Are we making any progress here? Any ideas on what the issue is?
And again, thank you for your help!! B)


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Documents and Settings\All Users\Documents: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


.

...

...

...

.\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

..

...

...

...

...

...

...

...

...

...

...

...

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:44 PM

Posted 17 October 2011 - 01:50 PM

Hello

If the following does not fix your antivirus then I need you to uninstall the antivirus and reinstall it

We need to reset some permissions that the virus changed

Download GrantPerms.zip and save it to your desktop.

Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:

c:\Documents and Settings\All Users\Documents
Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users