Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Removal


  • This topic is locked This topic is locked
1 reply to this topic

#1 Benny T

Benny T

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:03:31 PM

Posted 10 June 2012 - 12:16 AM

I have decided to do a clean install since I have reinstallation disks so I don't need any help this time.




I have run the malicious software tool removal (nothing found), Malwarebytes (1 infection), Superantispyware (2 trojans & 80 adware), and Microsoft Security Essentials (a few items). The computer can now access the internet and run programs. There are still a few issues.
1...cannot run Windows Update.
2...cannot run Microsoft Security Essentials, either to update or scan.
3...In "All programs", a few applications are not listed or the file is empty. The programs are still listed in "Uninstall a Program" so I know they are still there but hidden.
4...Hard drive is nearly full; 38GB out of 40GB used.

My main concern is to completely remove any infection(s) that still might be hiding in the computer first. Then work out the concerns listed above.

Another source had me run ComboFix and said it should fix everything. Wrong. It brought back some desktop icons and some hidden files on "All Programs" but still can't install Windows updates or run MSE. Here's the ComboFix log-

ComboFix 12-06-09.02 - Dell 8300 06/09/2012 20:20:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.332 [GMT -7:00]
Running from: c:\documents and settings\Dell 8300\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\16703268
c:\documents and settings\Dell 8300\Application Data\Adobe\plugs
c:\documents and settings\Dell 8300\Application Data\Adobe\shed
c:\documents and settings\Dell 8300\Application Data\PriceGong
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Dell 8300\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Dell 8300\Local Settings\Application Data\{3D6B2D47-F544-40BC-8890-DE6FF1FD0938}
c:\documents and settings\Dell 8300\Local Settings\Application Data\{3D6B2D47-F544-40BC-8890-DE6FF1FD0938}\chrome\content\overlay.xul
c:\documents and settings\Dell 8300\Local Settings\Application Data\{3D6B2D47-F544-40BC-8890-DE6FF1FD0938}\install.rdf
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\windows\system32\OLD2.tmp
c:\windows\system32\OLD5.tmp
c:\windows\system32\OLD9.tmp
c:\windows\system32\SETF1.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-10 to 2012-06-10 )))))))))))))))))))))))))))))))
.
.
2012-06-10 02:57 . 2009-08-07 02:23 274288 -c--a-w- c:\windows\system32\mucltui.dll
2012-06-10 02:57 . 2009-08-07 02:23 215920 -c--a-w- c:\windows\system32\muweb.dll
2012-06-10 00:13 . 2012-06-10 00:13 -------- dc----w- c:\documents and settings\Dell 8300\Application Data\Auslogics
2012-06-10 00:13 . 2012-06-10 00:13 -------- dc----w- c:\program files\Auslogics
2012-06-10 00:11 . 2012-06-10 00:11 -------- dc----w- c:\program files\CCleaner
2012-06-09 23:54 . 2012-06-09 23:54 -------- dc----w- c:\program files\iPod
2012-06-09 23:50 . 2012-06-09 23:50 -------- dc----w- c:\program files\Bonjour
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2012-06-09 23:48 . 2012-06-09 23:48 159744 -c--a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2012-06-09 23:48 . 2012-06-09 23:48 -------- dc----w- c:\program files\Java
2012-06-09 23:37 . 2012-06-09 23:37 -------- dc----w- c:\documents and settings\Dell 8300\Local Settings\Application Data\Secunia PSI
2012-06-09 23:37 . 2012-06-09 23:37 -------- dc----w- c:\program files\Secunia
2012-06-09 22:55 . 2012-06-09 23:17 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-09 22:55 . 2012-06-09 23:17 419488 -c--a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-09 21:56 . 2012-06-09 21:56 -------- dc----w- c:\program files\VS Revo Group
2012-06-09 19:24 . 2012-06-09 22:19 -------- dc----w- c:\documents and settings\Administrator
2012-06-09 19:13 . 2012-05-15 08:43 6737808 -c--a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C482BA90-0D4C-4C0A-97D3-ACA4D6EAFC39}\mpengine.dll
2012-06-09 19:13 . 2012-02-23 17:18 237072 -c----w- c:\windows\system32\MpSigStub.exe
2012-06-09 19:10 . 2012-06-09 19:10 -------- dc----w- c:\program files\Microsoft Security Client
2012-06-09 18:44 . 2012-06-09 18:44 -------- dc----w- c:\documents and settings\Dell 8300\Application Data\SUPERAntiSpyware.com
2012-06-09 18:44 . 2012-06-09 18:44 -------- dc----w- c:\program files\SUPERAntiSpyware
2012-06-09 18:44 . 2012-06-09 18:44 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-06-09 17:09 . 2012-06-09 17:09 -------- dc----w- c:\program files\ABC
2012-06-09 16:59 . 2012-06-09 19:30 -------- dc----w- c:\windows\system32\MpEngineStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-09 15:08 . 2011-11-28 17:55 356556 -c--a-w- c:\windows\system32\PerfStringBackup.TMP
2012-04-19 03:56 . 2012-04-19 03:56 94208 -c--a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 03:56 . 2012-04-19 03:56 69632 -c--a-w- c:\windows\system32\QuickTime.qts
2012-04-04 22:56 . 2011-06-30 16:24 22344 -c--a-w- c:\windows\system32\drivers\mbam.sys
2012-03-21 03:44 . 2012-03-21 03:44 171064 -c--a-w- c:\windows\system32\drivers\MpFilter.sys
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\HP\HP Software Update\HPWuSchd2 .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart .exe
c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor  .exe
c:\program files\QuickTime\qttask  .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-05-21 3905920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpqSRMon"="" [N/A]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-13 291896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 -c--a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [10/13/2011 11:01 PM 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [10/13/2011 11:01 PM 399416]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 1:30 AM 15544]
S1 ilbzuztc;ilbzuztc;\??\c:\windows\system32\drivers\ilbzuztc.sys --> c:\windows\system32\drivers\ilbzuztc.sys [?]
S1 nabastng;nabastng;\??\c:\windows\system32\drivers\nabastng.sys --> c:\windows\system32\drivers\nabastng.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/2/2010 11:21 AM 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/9/2012 3:55 PM 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/2/2010 11:21 AM 135664]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [6/15/2009 3:21 PM 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [6/3/2009 10:01 AM 174720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-09 23:17]
.
2011-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:57]
.
2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-02 18:21]
.
2012-06-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-02 18:21]
.
2012-06-09 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
2012-06-10 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-27 00:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
TCP: DhcpNameServer = 172.27.35.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{CF45C54F-801C-41B5-AC77-57F2BF418EDC} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-09 20:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75FRA0 rev.77.07W77 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x83B0053B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(740)
c:\windows\system32\WININET.dll
.
Completion time: 2012-06-09 20:42:28
ComboFix-quarantined-files.txt 2012-06-10 03:42
.
Pre-Run: 1,101,852,672 bytes free
Post-Run: 2,206,924,800 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D4160C8706496396767453891CAB0150


I have decided to do a clean install since I have reinstallation disks so I don't need any help this time.

Edited by Benny T, 10 June 2012 - 07:33 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:07:31 PM

Posted 11 June 2012 - 09:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users