Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Alureon.E and FakeSysdef trojans, now can't open Dreamweaver


  • Please log in to reply
12 replies to this topic

#1 TSMVH

TSMVH

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 22 July 2012 - 08:31 AM

Dell Latitude laptop running:
Windows XP Service Pack 3
Internet Explorer V8.0.6001.18702

Some of the file addresses may not be 100% correct here as it was hard to remain sane and take accurate notes with the PC falling apart around you.

It had the following:
Trojan:Dos/Alueron.E
Trojan:Win32/FakeSysdef


Used Kaspersky TDSS Killer. It found:
Rootkit.Boot.SSTb
Physical drive\Device\Harddisk0\DBO Malware object



Followed instructions from Sistagg on this discussion: http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/how-to-remove-trojandosalureone/1791a068-a6ec-43be-aa66-9968f01cfa16?page=1&tm=1342946280750

and found the partition on the harddrive, it was 4Mb. Deleted it OK. I think I did this is Safe Mode. However it has not returned.

Downloaded Malwarebytes and Superantispyware from a clean PC and ran them from a memory stick.

I added Malwarebytes Antimalware (Had to rename the .exe file of either Malwarebytes or Superantispyware to get it to run, sorry canít remember which one).
Ran PC in Safe Mode.

Malwarebytes found:
2 x Rootkit.TDSS.64
Rootkit FAKE HDD
6 x PUM.Hijack.Start Menu
PUM.Hidden Desktop
It cleaned them all & I restarted the laptop in

On restart Microsoft Security Essentials warned me it found:
C:\documents and settings\All Users\Application Data\CSQeOBFEShet.exe

I deleted this.

Then ran Malwarebytes again
It found:
7 x PUM.Hijack.Start Menu\Registry Data\HKCU\Software\Microsoft Windows\Current Version\Explorer\Advanced I Start_Show Run .......



Superantispyware found:
6 x Hijacker Internet Explorer Settings Hijack
C:\Windows\System32\spywarewarning.mht

Plus

6 x Trojan Agent\Gen-Rogue Antispy
C:\Documents & Settings\Al users\Application data\VHXRNWCPHOXUIU.exe
...............my user folder\Local Settings\Temp\SMTMP\ DATA RECOVERY.LNK
...............my user folder\Start Menu\Programs\Data Recovery\DATA RECOVERY.LNK
...............my user folder\DATA RECOVERY\UINSTALL DATA RECOVERY.LNK

MS Security Essentials did not find anything apart from that mentioned above.


The scanners quarantined the files but I deleted them each time.


All my folders were missing so but managed to get them back using advice from the link above or similar location. However C:\ drive folders are still ghosted. I can see them (view hidden files is ticked) and navigate them OK.

Laptop ran OK for approx 2 weeks. I was alternating between running Malwarebytes and Superantispyware which did not find any more malware. Did not go anywhere near any websites that need passwords entering.

After 2 weeks I decided to run Ccleaner having read on a forum to do so in order to completely remove any traces of the problem.

Laptop still running OK

After the above I looked in the Start Up option in Ccleaner. Noticed the following:
Svhoster.exe
Alrsvce.exe
C:windows\wdom.exe

Ran Malwarebytes which found:
Trojan.Dropper Registry HKLM\Software\Microsoft\Windows\Current\Version
Backdoor boot Registry \Run\wdon +\Run\updatewin

I deleted these from quarantine.

I have a number of unnecessary files turned off in Start Up (using Ccleaner to do so). Something turned them all on.

Next day checking Ccleaner Start Up again I noticed:
User Fault Check %systemroot%\system 32\dumprep 0 Ė u

Removed it with Malwarebytes or Superantispyware (canít remember which).

Restarted the laptop with wireless turned off thinking it would then be unable to go and get more of these and checked it with Kaspersky TDSS Killer, Malwarebytes, Superantispyware and the Microsoft programs you can download from the Security part of the website. Nothing found.

Wireless back on.

Iíve been running Malwarebytes and Superantispyware almost daily now, nothing else has been picked up. Both these programmes have been updated to the latest definitions a number of this since Iíve had this problem.

I have the log files from the Malwarebytes and Kaspersky searches where they found problems but have not posted them as they take up lots of space. Can do so if needed.


Right, thatís the history, now the questions

First, a word of warning to others reading this who have this problem. Run all the antimalware programmes you are advised to. Just because one finds something does not mean your PC is clear. See my experiences above.

I cannot open Adobe Dreamweaver MX2004. Either using the shortcuts or through the .exe file in the Programs folder. The program starts to open, then I get a Windows style pop up with an ďOKĒ button in it and a red close cross in the top right. Thatís all, no text.


1. How can I be sure my PC is clear of all this junk, I donít want to update my websites and risk passing it on to someone else?

2. How do I fix the problem with Dreamweaver not opening?

3. How do I get the C:\ drive folders to display properly? I can work with the ghost view, this fix to this is a Ďnice to haveí.

4. If Malwarebytes and Superantispyware said the PC was clean why did they not pick up the files in the Start Up which I found using Ccleaner (it was luck that I looked at that option)?

5. Can I run Ccleaner again to clean the PC?

Thanks.

Note - I originaly posted this on Microsoft Answers (Virus & Malware) today and they recommended posting it here. I have not taken any action re the other advice received on Microsoft Answers.

Defogger ran OK, I generated the logs with dds.scr OK, however I had a problem running gmer.exe. It ran and produced 13 lines of text then issued a pop up "gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience." I took a screenshot of the pop up and the log showing in the background and have this saved. I'll try and upload this as a jpeg.

One more thing - if I copy the My Documents folder to an external hard drive, does it copy any trojan/virus I may still have on this PC?

I'd appreciate your help to sort this out.


DDS.txt here:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by 8602069 at 13:54:56 on 2012-07-22
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1374 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\FLSDEVCP.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\Twain_32\Samsung\CLX3170\Scan2pc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.de/hws/sb/dell-row-rel/en/side.html?channel=de
uSearch Bar = hxxp://www.google.de/hws/sb/dell-row-rel/en/side.html?channel=de
uDefault_Page_URL = www.google.de/ig/dell?hl=en&client=dell-row-rel&channel=de&ibd=4070326
uInternet Connection Wizard,ShellNext = hxxp://www.google.de/ig/dell?hl=en&client=dell-row-rel&channel=de&ibd=4070326
uInternet Settings,ProxyOverride = *.local
BHO: CGMFragment Class: {0695f52a-89a2-4246-81b5-afad2d3b865f} - c:\progra~1\ematek\metaweb\MetaBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [FLSDeviceControlPanel] c:\windows\system32\FLSDEVCP.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [3170 Scan2PC] "c:\windows\twain_32\samsung\clx3170\Scan2pc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: dfsv45.com\mail
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} - hxxps://www.ll2go.com/html/x-file/000/www.ll2go.com/x-res/llx.ocx
DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} - hxxps://qa.nokiacafe.online.nokia.com/prmportal_enu/19224/applets/SiebelAx_HI_Client.cab
DPF: {5E29B1FD-49C3-4B4B-8354-FECCA133B7E6} - hxxps://qa-nokiacafe.online.nokia.com/prmportal_enu/19224/applets/SiebelAx_iHelp.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267433851937
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://team05.raytheon.com/eRoomSetup/client.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342546676843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8CFF92BA-2C04-44D5-8A49-68D4A6641427} - hxxps://www.anywhereconference.com/plugins/IE/ANWShare.cab?2,2,0,2
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} - hxxps://www.ll2go.com/html/x-file/000/www.ll2go.com/x-res/ActiveXShadow.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18}
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A72575BC-89BB-460A-8449-04111177BE8F} : DhcpNameServer = 192.168.1.1
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 159.60.86.70 UKLU0001
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKsl90582a06;MpKsl90582a06;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6737498f-1b12-4d0b-830c-15d7a87a9e1a}\MpKsl90582a06.sys [2012-7-22 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\system32\drivers\fle5wnnt.sys [2008-4-17 33404]
R2 FLSIFACE;FLSIface;c:\windows\system32\drivers\flsiface.sys [2008-4-17 13440]
R2 FLSPAR;FLSPar;c:\windows\system32\drivers\flspar.sys [2008-4-17 16314]
R2 FLSSER;FLSSer;c:\windows\system32\drivers\flsser.sys [2008-4-17 8344]
R2 FLSVCOM;FLSVCom;c:\windows\system32\drivers\flsvcom.sys [2008-4-17 34080]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-7-2 136176]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-7-2 136176]
S3 iatmunin;iatmunin;\??\c:\docume~1\rps\locals~1\temp\iatmunin.sys --> c:\docume~1\rps\locals~1\temp\iatmunin.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-29 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-8-29 8576]
S3 Pesdavpnaps.4;Pesdavpnaps.4; [x]
S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== Created Last 30 ================
.
2012-07-22 12:49:14 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6737498f-1b12-4d0b-830c-15d7a87a9e1a}\offreg.dll
2012-07-22 11:38:33 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6737498f-1b12-4d0b-830c-15d7a87a9e1a}\MpKsl90582a06.sys
2012-07-17 17:39:16 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6737498f-1b12-4d0b-830c-15d7a87a9e1a}\mpengine.dll
2012-07-15 07:19:50 6762896 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-03 18:28:00 -------- d-----w- c:\documents and settings\8602069\local settings\application data\Temp
2012-07-02 21:22:40 -------- d-----w- c:\documents and settings\8602069\application data\SUPERAntiSpyware.com
2012-07-02 21:22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-02 21:22:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-07-01 21:00:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-01 21:00:22 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-07-01 20:46:27 -------- d--h--w- C:\TDSSKiller_Quarantine
2012-07-01 15:17:15 530088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
==================== Find3M ====================
.
2012-06-04 16:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22:09 599040 ---ha-w- c:\windows\system32\crypt32.dll
2008-04-03 17:16:42 59782440 ---ha-w- c:\program files\iTunesSetup.exe
2002-08-14 11:48:16 399872 ---ha-w- c:\program files\SnapIt.exe
.
============= FINISH: 13:56:13.23 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:45 PM

Posted 27 July 2012 - 08:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461877 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 TSMVH

TSMVH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 27 July 2012 - 09:12 AM

1. Yes, I still need help to fix this problem. No further action has been taken to fix it since my original post, I'm waiting for your guidance. Essentially I want to be sure my PC is clean and to be able to open Dreamweaver & update websites safely. Oh, and can I use Ccleaner?

2. DDS log below:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by 8602069 at 14:59:12 on 2012-07-27
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1168 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\FLSDEVCP.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\Twain_32\Samsung\CLX3170\Scan2pc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclToBTSrv.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.de/hws/sb/dell-row-rel/en/side.html?channel=de
uSearch Bar = hxxp://www.google.de/hws/sb/dell-row-rel/en/side.html?channel=de
uDefault_Page_URL = www.google.de/ig/dell?hl=en&client=dell-row-rel&channel=de&ibd=4070326
uInternet Connection Wizard,ShellNext = hxxp://www.google.de/ig/dell?hl=en&client=dell-row-rel&channel=de&ibd=4070326
uInternet Settings,ProxyOverride = *.local
BHO: CGMFragment Class: {0695f52a-89a2-4246-81b5-afad2d3b865f} - c:\progra~1\ematek\metaweb\MetaBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [FLSDeviceControlPanel] c:\windows\system32\FLSDEVCP.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Document Manager] c:\program files\wave systems corp\services manager\docmgr\bin\docmgr.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [3170 Scan2PC] "c:\windows\twain_32\samsung\clx3170\Scan2pc.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: dfsv45.com\mail
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {261CAFEB-87CB-484B-8176-30C9993E1A50} - hxxps://www.ll2go.com/html/x-file/000/www.ll2go.com/x-res/llx.ocx
DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} - hxxps://qa.nokiacafe.online.nokia.com/prmportal_enu/19224/applets/SiebelAx_HI_Client.cab
DPF: {5E29B1FD-49C3-4B4B-8354-FECCA133B7E6} - hxxps://qa-nokiacafe.online.nokia.com/prmportal_enu/19224/applets/SiebelAx_iHelp.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267433851937
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://team05.raytheon.com/eRoomSetup/client.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1342546676843
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8CFF92BA-2C04-44D5-8A49-68D4A6641427} - hxxps://www.anywhereconference.com/plugins/IE/ANWShare.cab?2,2,0,2
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AFFBDA02-5D3A-11D9-AAC8-91EC5E497716} - hxxps://www.ll2go.com/html/x-file/000/www.ll2go.com/x-res/ActiveXShadow.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {ed54a7b0-6c1c-11d5-b63d-00c04faedb18}
DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{A72575BC-89BB-460A-8449-04111177BE8F} : DhcpNameServer = 192.168.1.1
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 159.60.86.70 UKLU0001
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
R1 MpKslc295fe67;MpKslc295fe67;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd510c42-44be-4a9d-810e-a3b508dd7ce9}\MpKslc295fe67.sys [2012-7-27 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\system32\drivers\fle5wnnt.sys [2008-4-17 33404]
R2 FLSIFACE;FLSIface;c:\windows\system32\drivers\flsiface.sys [2008-4-17 13440]
R2 FLSPAR;FLSPar;c:\windows\system32\drivers\flspar.sys [2008-4-17 16314]
R2 FLSSER;FLSSer;c:\windows\system32\drivers\flsser.sys [2008-4-17 8344]
R2 FLSVCOM;FLSVCom;c:\windows\system32\drivers\flsvcom.sys [2008-4-17 34080]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-7-2 136176]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-7-2 136176]
S3 iatmunin;iatmunin;\??\c:\docume~1\rps\locals~1\temp\iatmunin.sys --> c:\docume~1\rps\locals~1\temp\iatmunin.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-29 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-8-29 8576]
S3 Pesdavpnaps.4;Pesdavpnaps.4; [x]
S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== Created Last 30 ================
.
2012-07-27 09:41:23 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd510c42-44be-4a9d-810e-a3b508dd7ce9}\MpKslc295fe67.sys
2012-07-23 18:31:55 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dd510c42-44be-4a9d-810e-a3b508dd7ce9}\mpengine.dll
2012-07-17 17:39:16 6891424 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-03 18:28:00 -------- d-----w- c:\documents and settings\8602069\local settings\application data\Temp
2012-07-02 21:22:40 -------- d-----w- c:\documents and settings\8602069\application data\SUPERAntiSpyware.com
2012-07-02 21:22:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-07-02 21:22:23 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-07-01 21:00:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-01 21:00:22 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware
2012-07-01 20:46:27 -------- d--h--w- C:\TDSSKiller_Quarantine
2012-07-01 15:17:15 530088 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
==================== Find3M ====================
.
2012-06-04 16:35:26 222448 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22:09 599040 ---ha-w- c:\windows\system32\crypt32.dll
2008-04-03 17:16:42 59782440 ---ha-w- c:\program files\iTunesSetup.exe
2002-08-14 11:48:16 399872 ---ha-w- c:\program files\SnapIt.exe
.
============= FINISH: 14:59:50.20 ===============



3. The gmer.exe would not run its full course again, another screenshot is attached. I disabled the CD Emulation software using your tool last time.

4. I probably have the Windows CD somewhere, but my CD drive is tempermental, it works for a while, then just keeps spinning the CD but not loading the software. Hence I was trying to avoid having to reinstall everything.

Thanks.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 28 July 2012 - 10:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please post the logs for my review and let me know what problem persists.

#5 TSMVH

TSMVH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 28 July 2012 - 12:21 PM

Nasdaq,

Both programs have been installed and run. Logs attached. It also downloaded Microsoft Recovery Console though I don't see it in the Start menu.

Regards.

TSMVH.

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 29 July 2012 - 07:46 AM

It also downloaded Microsoft Recovery Console though I don't see it in the Start menu.

This part of your BIOS. At boot time you should see for a few seconds an option to start the Recovery Console or Windows.
It will default to Windows. If ever you have a need to Open the Recovery Console to fix your computer that option is now available.

Read about it.
http://support.microsoft.com/kb/307654
===

Open notepad and copy/paste the text in the quote box below into it:

Driver::
iatmunin
Pesdavpnaps.4
USBDFU
vsdatant


Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#7 TSMVH

TSMVH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 29 July 2012 - 09:25 AM

nasdaq,

Files attached. When running Combofix it decided there was a new version available which I downloaded. In addition a Windows pop up appeared with an error message & the option to click OK to terminate the program or Cancel to debug. I went with debug and took a screenshot of the message. However when it rebooted I lost the screenshot, apologies, I will write it down next time. Can repeat the scan necessary.

It will still not open Dreamweaver, same OK pop up box appears, but now it appears almost immediately, before the program was almost 75% open, i.e. I could see the normal working page of the software.

Regards.

TSMVH

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 29 July 2012 - 09:36 AM

After you have updated your Java and if Dreamweaver if still not working can you reinstall it?


Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 20
Java™ SE Runtime Environment 6 Update 1


===

#9 TSMVH

TSMVH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 August 2012 - 08:19 AM

nasdaq,

Java has been updated & the old version (Javaô SE Runtime Environment 6 Update 1) removed.

I tried to update Dreamweaver, the update downloaded OK, saved to Desktop. Double clicking the .exe file produces the message: "The folder does not contain Dreamweaver MX2004". See attached screenshot.

Would the infection have moved the files or changed the shortcuts?

However my main worry is can you see any of the trojans left on my PC, or indeed anything malware/virus etc?

If not I can always buy an external CD drive & reinstall Dreamweaver.

Regards.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 03 August 2012 - 01:38 PM

I tried to update Dreamweaver, the update downloaded OK, saved to Desktop. Double clicking the .exe file produces the message: "The folder does not contain Dreamweaver MX2004". See attached screenshot.

Would the infection have moved the files or changed the shortcuts?

However my main worry is can you see any of the trojans left on my PC, or indeed anything malware/virus etc?


From my point of view your computer is clean.

You can always run this scan.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

===

Did you try to place the Dreamweaver downloaded update file in the folder were the program is presently installed.
Run it from there.

If that does not work re install the program in the same folder it was before.
Then run the update.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 09 August 2012 - 08:11 AM

Are you still with me?

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#12 TSMVH

TSMVH
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 09 August 2012 - 04:05 PM

Attached File  ESET_Scanner_12-08-09.txt   441bytes   2 downloads

nasdaq,

I'm still here, apologies for the delayed reply.

Moving the update file into the Dreamweaver folder produced the same results as previous. Then I ran this:

http://www.bleepingcomputer.com/download/unhide/

It seemed to fix a lot of things, the ghosted folders were unghosted and Dreamweaver now opens & runs OK. The Dreamweaver update still produces the same error message that "Dreamweaver MX 2004" does not exist. I deleted the update .exe file and downloaded it again but had the same result. I can live with Dreamweaver being back to how it was unless I need the update for security issues.

I ran ESET Scanner and it found 3 things, file attached.

ComboFix is uninstalled, I'll delete the other files next.

Are the things ESET Scanner found serious? It seems to have quarantined them. I did not tick the delete box on exiting the program, the instructions did not mention to do so. However I'll run it again & delete them if needed.

Regards.

Edited by TSMVH, 09 August 2012 - 04:07 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,978 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:45 PM

Posted 10 August 2012 - 07:23 AM

Dreamweaver Support Center
http://www.adobe.com/support/dreamweaver/extend.html

Read the article under DREAMWEAVER MX 2004

I do not think that folder is required.
You may want to download some of the PDF files and or the

Extending Dreamweaver MX files Windows (ZIP, 8K)
Extending Dreamweaver MX files Macintosh (SIT, 20K)

Llinks on the page.
===

The items found by ESET can be removed. There are in a quarantine folder nothing to worry about.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users