Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Security 2012 & TR/Crypt.ZPACK.GEN virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 krMitchell

krMitchell

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 26 December 2011 - 10:24 AM

A few days ago, I had the popup windows associated with the "XP Security 2012" virus start appearing. I found on the Internet how to stop the process for the virus. On my PC it was ejg.exe. About the same time, my Avira Anit-Virus software found that the file C:\Windows\system32\drivers\i8042prt.sys was corrupted with TR/Crypt.ZPACK .GEN. Avira cleaned this and as part of the process did a restart. Here is the Avira log:

==========================================================================
Avira Free Antivirus
Report file date: Monday, December 19, 2011 15:36

Scanning for 3586967 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : OFFICE

Version information:
BUILD.DAT : 12.0.0.870 41827 Bytes 12/9/2011 15:01:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 10/25/2011 21:01:19
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 17:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 10/11/2011 19:00:17
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/8/2011 22:32:52
AVREG.DLL : 12.1.0.27 227536 Bytes 12/9/2011 22:31:44
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 21:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 18:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 13:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 19:00:25
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 22:34:36
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 22:34:36
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 22:34:36
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 22:34:36
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 22:34:37
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 22:31:02
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 22:31:17
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 22:31:14
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 22:31:26
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 22:31:29
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 22:31:38
VBASE019.VDF : 7.11.19.77 144896 Bytes 12/13/2011 22:31:51
VBASE020.VDF : 7.11.19.115 177664 Bytes 12/15/2011 22:31:58
VBASE021.VDF : 7.11.19.137 139776 Bytes 12/16/2011 22:32:05
VBASE022.VDF : 7.11.19.138 2048 Bytes 12/16/2011 22:32:06
VBASE023.VDF : 7.11.19.139 2048 Bytes 12/16/2011 22:32:06
VBASE024.VDF : 7.11.19.140 2048 Bytes 12/16/2011 22:32:06
VBASE025.VDF : 7.11.19.141 2048 Bytes 12/16/2011 22:32:07
VBASE026.VDF : 7.11.19.142 2048 Bytes 12/16/2011 22:32:07
VBASE027.VDF : 7.11.19.143 2048 Bytes 12/16/2011 22:32:07
VBASE028.VDF : 7.11.19.144 2048 Bytes 12/16/2011 22:32:08
VBASE029.VDF : 7.11.19.145 2048 Bytes 12/16/2011 22:32:08
VBASE030.VDF : 7.11.19.146 2048 Bytes 12/16/2011 22:32:08
VBASE031.VDF : 7.11.19.155 45568 Bytes 12/18/2011 23:10:12
Engineversion : 8.2.8.8
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 21:01:15
AESCRIPT.DLL : 8.1.3.92 495996 Bytes 12/16/2011 22:32:41
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 03:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/1/2011 22:33:22
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:16:06
AEPACK.DLL : 8.2.15.1 770423 Bytes 12/13/2011 22:32:04
AEOFFICE.DLL : 8.1.2.24 201084 Bytes 12/16/2011 22:32:38
AEHEUR.DLL : 8.1.3.8 4231543 Bytes 12/16/2011 22:32:36
AEHELP.DLL : 8.1.18.0 254327 Bytes 10/25/2011 21:00:41
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/8/2011 22:31:41
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 03:46:01
AECORE.DLL : 8.1.24.2 201080 Bytes 12/16/2011 22:32:13
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 03:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/11/2011 19:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 10/11/2011 19:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 10/11/2011 19:00:09
AVARKT.DLL : 12.1.0.19 208848 Bytes 12/8/2011 22:32:21
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/11/2011 19:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/11/2011 19:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/11/2011 19:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 10/11/2011 19:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/11/2011 19:00:31
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 17:37:24

Configuration settings for the scan:
Jobname.............................: AVGuardAsyncScan
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP\AVGUARD_4eef9f94\guard_slideup.avp
Logging.............................: default
Primary action......................: repair
Secondary action....................: quarantine
Scan master boot sector.............: on
Scan boot sector....................: off
Process scan........................: on
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: Complete

Start of the scan: Monday, December 19, 2011 15:36

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'BttnServ.exe' - '1' Module(s) have been scanned
Scan process 'ejg.exe' - '1' Module(s) have been scanned
Scan process 'EAUSBKBD.EXE' - '1' Module(s) have been scanned
Scan process 'CPQEADM.EXE' - '1' Module(s) have been scanned
Scan process 'Billmind.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'WMPNSCFG.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned
Scan process 'LTMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb10.exe' - '1' Module(s) have been scanned
Scan process 'StartEAK.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '1' Module(s) have been scanned
Scan process 'uphclean.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'McciCMService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\WINDOWS\system32\drivers\i8042prt.sys'
The registration entry <HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path\Debugger> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\PNP0F13> was removed successfully.
The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i8042prt> was removed successfully.
C:\WINDOWS\system32\drivers\i8042prt.sys
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d440193.qua'.
[WARNING] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\ImagePath> could not be repaired.
[NOTE] For the final repair, a restart of the computer is instigated.
[WARNING] The registration entry <HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\i8042prt\ImagePath> could not be repaired.
[NOTE] For the final repair, a restart of the computer is instigated.

End of the scan: Monday, December 19, 2011 15:37
Used time: 00:47 Minute(s)

The scan has been done completely.

0 Scanned directories
41 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
40 Files not concerned
0 Archives were scanned
1 Warnings
1 Notes

==========================================================================

Upon restart I then ran a full scan using Avira. I did a restart on the system but then I had no keyboard or mouse function at the Windows Logon screen. Here is the Avira log:


==========================================================================

Avira Free Antivirus
Report file date: Monday, December 19, 2011 16:33

Scanning for 3586967 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : Ken
Computer name : OFFICE

Version information:
BUILD.DAT : 12.0.0.870 41827 Bytes 12/9/2011 15:01:00
AVSCAN.EXE : 12.1.0.18 490448 Bytes 10/25/2011 21:01:19
AVSCAN.DLL : 12.1.0.17 54224 Bytes 9/23/2011 17:34:56
LUKE.DLL : 12.1.0.17 68304 Bytes 10/11/2011 19:00:17
AVSCPLR.DLL : 12.1.0.21 99536 Bytes 12/8/2011 22:32:52
AVREG.DLL : 12.1.0.27 227536 Bytes 12/9/2011 22:31:44
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:07:39
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 21:08:51
VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:00:55
VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:18:22
VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 18:12:53
VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 13:26:09
VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 19:00:25
VBASE008.VDF : 7.11.18.32 2132992 Bytes 11/24/2011 22:34:36
VBASE009.VDF : 7.11.18.33 2048 Bytes 11/24/2011 22:34:36
VBASE010.VDF : 7.11.18.34 2048 Bytes 11/24/2011 22:34:36
VBASE011.VDF : 7.11.18.35 2048 Bytes 11/24/2011 22:34:36
VBASE012.VDF : 7.11.18.36 2048 Bytes 11/24/2011 22:34:37
VBASE013.VDF : 7.11.18.89 204800 Bytes 11/28/2011 22:31:02
VBASE014.VDF : 7.11.18.145 143872 Bytes 12/1/2011 22:31:17
VBASE015.VDF : 7.11.18.180 173056 Bytes 12/2/2011 22:31:14
VBASE016.VDF : 7.11.18.208 164864 Bytes 12/5/2011 22:31:26
VBASE017.VDF : 7.11.18.239 177152 Bytes 12/6/2011 22:31:29
VBASE018.VDF : 7.11.19.36 171520 Bytes 12/9/2011 22:31:38
VBASE019.VDF : 7.11.19.77 144896 Bytes 12/13/2011 22:31:51
VBASE020.VDF : 7.11.19.115 177664 Bytes 12/15/2011 22:31:58
VBASE021.VDF : 7.11.19.137 139776 Bytes 12/16/2011 22:32:05
VBASE022.VDF : 7.11.19.138 2048 Bytes 12/16/2011 22:32:06
VBASE023.VDF : 7.11.19.139 2048 Bytes 12/16/2011 22:32:06
VBASE024.VDF : 7.11.19.140 2048 Bytes 12/16/2011 22:32:06
VBASE025.VDF : 7.11.19.141 2048 Bytes 12/16/2011 22:32:07
VBASE026.VDF : 7.11.19.142 2048 Bytes 12/16/2011 22:32:07
VBASE027.VDF : 7.11.19.143 2048 Bytes 12/16/2011 22:32:07
VBASE028.VDF : 7.11.19.144 2048 Bytes 12/16/2011 22:32:08
VBASE029.VDF : 7.11.19.145 2048 Bytes 12/16/2011 22:32:08
VBASE030.VDF : 7.11.19.146 2048 Bytes 12/16/2011 22:32:08
VBASE031.VDF : 7.11.19.155 45568 Bytes 12/18/2011 23:10:12
Engineversion : 8.2.8.8
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/25/2011 21:01:15
AESCRIPT.DLL : 8.1.3.92 495996 Bytes 12/16/2011 22:32:41
AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 03:46:02
AESBX.DLL : 8.2.4.5 434549 Bytes 12/1/2011 22:33:22
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:16:06
AEPACK.DLL : 8.2.15.1 770423 Bytes 12/13/2011 22:32:04
AEOFFICE.DLL : 8.1.2.24 201084 Bytes 12/16/2011 22:32:38
AEHEUR.DLL : 8.1.3.8 4231543 Bytes 12/16/2011 22:32:36
AEHELP.DLL : 8.1.18.0 254327 Bytes 10/25/2011 21:00:41
AEGEN.DLL : 8.1.5.17 405877 Bytes 12/8/2011 22:31:41
AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 03:46:01
AECORE.DLL : 8.1.24.2 201080 Bytes 12/16/2011 22:32:13
AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 03:46:01
AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/11/2011 19:00:11
AVPREF.DLL : 12.1.0.17 51920 Bytes 10/11/2011 19:00:09
AVREP.DLL : 12.1.0.17 179408 Bytes 10/11/2011 19:00:09
AVARKT.DLL : 12.1.0.19 208848 Bytes 12/8/2011 22:32:21
AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/11/2011 19:00:08
SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/11/2011 19:00:22
AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/11/2011 19:00:10
NETNT.DLL : 12.1.0.17 17104 Bytes 10/11/2011 19:00:18
RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/11/2011 19:00:31
RCTEXT.DLL : 12.1.0.16 96208 Bytes 9/23/2011 17:37:24

Configuration settings for the scan:
Jobname.............................: Manual Selection
Configuration file..................: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\PROFILES\folder.avp
Logging.............................: default
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Monday, December 19, 2011 16:33

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'ping.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'BttnServ.exe' - '1' Module(s) have been scanned
Scan process 'EAUSBKBD.EXE' - '1' Module(s) have been scanned
Scan process 'CPQEADM.EXE' - '1' Module(s) have been scanned
Scan process 'WMPNSCFG.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'DrgToDsc.exe' - '1' Module(s) have been scanned
Scan process 'LTMSG.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb10.exe' - '1' Module(s) have been scanned
Scan process 'StartEAK.exe' - '1' Module(s) have been scanned
Scan process 'hpsysdrv.exe' - '1' Module(s) have been scanned
Scan process 'WMPNetwk.exe' - '1' Module(s) have been scanned
Scan process 'uphclean.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'McciCMService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2749' files ).


Starting the file scan:

Begin scan in 'C:\' <PRESARIO>
C:\Documents and Settings\Ken\Local Settings\Temporary Internet Files\Content.IE5\0U95MLUN\DtCol[1].htm
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
C:\WINDOWS\system32\drivers\i8042prt.sys
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan

Beginning disinfection:
C:\WINDOWS\system32\drivers\i8042prt.sys
[DETECTION] Is the TR/Crypt.ZPACK.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4cf06af5.qua'.
C:\Documents and Settings\Ken\Local Settings\Temporary Internet Files\Content.IE5\0U95MLUN\DtCol[1].htm
[DETECTION] Contains recognition pattern of the HTML/Rce.Gen HTML script virus
[NOTE] The file was moved to the quarantine directory under the name '544a4516.qua'.


End of the scan: Monday, December 19, 2011 18:53
Used time: 1:34:27 Hour(s)

The scan has been done completely.

18010 Scanned directories
377839 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
2 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
377837 Files not concerned
15969 Archives were scanned
0 Warnings
2 Notes

==========================================================================

AustrAlien helped me get logged back on by replacing the PS2 keyboard and mouse with a USB keyboard and mouse. Link to forum topic where AustrAlien helped:

http://www.bleepingcomputer.com/forums/topic433602.html


After logging back on, I used the info from this site to remove the "XP Security 2012" virus:

http://www.spywareremove.com/removexpantivirus2012.html

I installed and ran Malwarebytes' Anti-Malware. Log from Malwarebytes' Anti-Malware:


==========================================================================

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122204

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/22/2011 3:02:48 PM
mbam-log-2011-12-22 (15-02-48).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 559707
Time elapsed: 1 hour(s), 49 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\ejg.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\ejg.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Ken\Local Settings\Application Data\ejg.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Ken\application data\Sun\Java\deployment\cache\6.0\50\55065cf2-7321afd7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Ken\local settings\application data\ejg.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
c:\program files\EGPFFT.DLL (Spyware.OnlineGames) -> Quarantined and deleted successfully.

==========================================================================

I replaced the corrupted i8042prt.sys file in the C:\Windows\system32\drivers directory with a known good file (scanned clean).

The current state of the machine is that I still do not have PS2 keyboard or mouse function. I can't get Restore System to work on any checkpoints. After the restore and restart, I get the message that the Restore was not completed and that no changes were made. AustrAlien suggested that I have you guys confirmed that my system has indeed been cleaned of the viruses and has no other problems before I try to resolve the keyboard/mouse and System Restore problems.
Here is the DDS.txt log:
[/font]

==========================================================================

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Ken at 11:27:27 on 2011-12-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.448 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickenBillminder] c:\program files\quickenw\Billmind.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [VTPreset] VTPreset.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [LTMSG] LTMSG.exe 7
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [SansaDispatch] c:\documents and settings\localservice\application data\sandisk\sansa updater\SansaDispatch.exe
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122935990687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 207.203.159.23 205.152.37.23
TCP: Interfaces\{5B8FF87A-B4A6-455B-AEF7-36F43CE9F429} : DhcpNameServer = 207.203.159.23 205.152.37.23
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ken\application data\mozilla\firefox\profiles\3z3sg93q.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-19 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-19 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-19 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-19 74640]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-8-6 24645]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-22 18:00:49 -------- d-----w- c:\documents and settings\ken\application data\Malwarebytes
2011-12-22 18:00:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-22 18:00:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-22 18:00:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-21 21:04:51 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-21 21:04:51 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-12-21 21:04:38 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-12-21 21:04:38 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-12-20 20:53:57 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-12-20 20:53:57 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-12-20 20:53:54 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-12-20 20:53:54 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-12-20 20:53:48 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-12-20 20:53:48 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
==================== Find3M ====================
.
2011-11-28 13:05:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
2011-10-11 19:00:32 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-11 19:00:32 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
1998-07-31 19:01:56 19904 ----a-w- c:\program files\_ISREG16.DLL
1997-11-22 00:27:48 1065810 ----a-w- c:\program files\EGUITAR2.EXE
1993-11-19 04:00:00 54272 ----a-w- c:\program files\MCIWNDX.VBX
1993-11-01 07:11:00 97936 ----a-w- c:\program files\COMMDLG.DLL
1993-05-12 04:00:00 398416 ----a-w- c:\program files\VBRUN300.DLL
1993-04-28 04:00:00 30112 ----a-w- c:\program files\MCI.VBX
1993-04-28 04:00:00 22528 ----a-w- c:\program files\SPIN.VBX
1993-04-28 04:00:00 18688 ----a-w- c:\program files\CMDIALOG.VBX
.
============= FINISH: 11:28:37.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,732 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:23 PM

Posted 01 January 2012 - 11:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434521 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 krMitchell

krMitchell
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 01 January 2012 - 06:35 PM

I do not have the original Windows CD/DVD. I have an HP Presario PC which has an OEM Windows XP install. Here is the latest DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Ken at 18:24:23 on 2012-01-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.735.304 [GMT -5:00]
.
AV: Avira Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=2c02&lc=0409
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = <local>
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll
TB: BellSouth Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} - c:\progra~1\blstoo~1\BLSTOO~1.DLL
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Microsoft Works Update Detection] c:\program files\microsoft works\WkDetect.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [QuickenBillminder] c:\program files\quickenw\Billmind.exe -startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [CPQEASYACC] c:\program files\compaq\easy access button support\StartEAK.exe
mRun: [VTPreset] VTPreset.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [LTMSG] LTMSG.exe 7
mRun: [WCOLOREAL] "c:\program files\compaq\coloreal\coloreal.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [SansaDispatch] c:\documents and settings\localservice\application data\sandisk\sansa updater\SansaDispatch.exe
StartupFolder: c:\docume~1\ken\startm~1\programs\startup\window~1.lnk - c:\windows\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122935990687
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.3.1/jinstall-1_3_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 207.203.159.23 205.152.37.23
TCP: Interfaces\{5B8FF87A-B4A6-455B-AEF7-36F43CE9F429} : DhcpNameServer = 207.203.159.23 205.152.37.23
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ken\application data\mozilla\firefox\profiles\3z3sg93q.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-19 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-19 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-19 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-19 74640]
S3 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2009-8-6 24645]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-22 18:00:49 -------- d-----w- c:\documents and settings\ken\application data\Malwarebytes
2011-12-22 18:00:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-12-22 18:00:30 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-22 18:00:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-21 21:04:51 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-21 21:04:51 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-12-21 21:04:38 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-12-21 21:04:38 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-12-20 20:53:57 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2011-12-20 20:53:57 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2011-12-20 20:53:54 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-12-20 20:53:54 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-12-20 20:53:48 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2011-12-20 20:53:48 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
.
==================== Find3M ====================
.
2011-11-28 13:05:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
2011-10-11 19:00:32 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-11 19:00:32 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
1998-07-31 19:01:56 19904 ----a-w- c:\program files\_ISREG16.DLL
1997-11-22 00:27:48 1065810 ----a-w- c:\program files\EGUITAR2.EXE
1993-11-19 04:00:00 54272 ----a-w- c:\program files\MCIWNDX.VBX
1993-11-01 07:11:00 97936 ----a-w- c:\program files\COMMDLG.DLL
1993-05-12 04:00:00 398416 ----a-w- c:\program files\VBRUN300.DLL
1993-04-28 04:00:00 30112 ----a-w- c:\program files\MCI.VBX
1993-04-28 04:00:00 22528 ----a-w- c:\program files\SPIN.VBX
1993-04-28 04:00:00 18688 ----a-w- c:\program files\CMDIALOG.VBX
.
============= FINISH: 18:25:26.82 ===============

Attached Files



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:23 PM

Posted 02 January 2012 - 06:52 PM

Hi krMitchell,

I will be handling your logs to help you get cleaned up. Please give me some time to look them over and I will get back to you as soon as possible. Thanks in advance for your patience.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:23 PM

Posted 03 January 2012 - 12:16 PM

Hi krMitchell,

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


:step1: Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


:step2: Please do the following. You will need a USB drive with no less than 64 mb of space.

  • Insert your USB drive.
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format (Note: this will erase any and all files on this USB drive.)
  • Download xPUD 0.9.2 iso, saving the file to your Desktop.
  • Download UNetbootin and save it to your Desktop as well.
  • Double click the unetbootin-windows-latest.exe that you just downloaded.
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will write files to your USB device and make it bootable
  • Once the files have been written to the device you will be prompted to reboot ~ do NOT reboot and instead just Exit the UNetbootin interface
  • Next, download dumpit and save it to the same flash drive where you installed xPUD.
  • Remove the USB and insert it in the ailing computer
  • Power on the computer and press F12 then choose to boot from the USB
  • After selecting a language and readying the system, a Welcome to xPUD screen will appear
  • Click the File tab
  • Expand mnt by clicking the plus sign to it's left
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click dumpit.
  • It will create some MBR copies on the USB drive.
  • When it completes press Enter to exit the Terminal window.
  • Remove the USB drive, then locate on it an mbr.zip file, and upload that here as an attachment please.
mbr.zip should be created on your flash drive, please attach it to your next reply.


In your next reply, please include:
  • Combofix log
  • Attach the mbr.zip file

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#6 krMitchell

krMitchell
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 03 January 2012 - 12:40 PM

Sounds like the best thing to do at this point is reformat and re-install all the software. I should have done this over a week ago and I would be back up and running by now. Could you tell me specifically which viruses were found in the scans?

#7 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:23 PM

Posted 03 January 2012 - 12:46 PM

Yes, the most efficient (and safest) thing to do is to reformat.

Your logs show you are likely infected with the ZeroAccess rootkit, which can be difficult to remove.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:23 PM

Posted 03 January 2012 - 01:30 PM

Hi krMitchell,

Please let me know if you have any further questions, otherwise we will close this topic.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 krMitchell

krMitchell
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 03 January 2012 - 01:36 PM

Jason, if I copy all my data files from the infected machine onto a jump drive and scan them on another PC with updated Avira Antivirus, can I be assured that none of the files are infected? Any other precautions I should take retrieving my data before performing the re-format?

#10 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:23 PM

Posted 03 January 2012 - 02:50 PM

Yes, if you copy all files except for executable files (any file ending in a .exe, .scr, .pif, .com, .cmd, or .bat file extension), and then scan them with Avira, you can be assured that they are not infected.

Before you copy files to a jump drive, please download and Run FlashDisinfector.

You may have a flash drive infection (though your logs do not show evidence of this). These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


Here are several preventative steps to ensure you don't get infected again.

:step1: Keep common programs like Java, Adobe Reader, and Adobe Flash up to date. Outdated versions have vulnerabilities in them that malware can use to infect your computer.

:step2: Install the Latest Version of Common Software:
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting http://secunia.com/vulnerability_scanning/online/ and http://www.calendarofupdates.com/updates/calendar.html.

I also recommend FileHippo's update checker that scans your computer for programs it recognizes and allows you to easily download new versions of common software: http://filehippo.com/updatechecker/UpdateChecker.exe

:step3: Make Internet Explorer more secure:
Hold down the Windows Key, and press the R key.
In the Run Dialog box, type: inetcpl.cpl & click OK
Click on the Security tab,
Click Reset all zones to default level
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

:step4: Finally, read this tutorial and follow each of the steps:
http://www.bleepingcomputer.com/tutorials/tutorial82.html

Please feel free to post any future computer problems in the appropriate forum. Have a great day! :)
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,774 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:01:23 AM

Posted 05 January 2012 - 03:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users