Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware beating me down


  • This topic is locked This topic is locked
302 replies to this topic

#1 miz-h

miz-h

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 27 August 2012 - 12:41 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Wanda Thorne at 12:48:05 on 2012-08-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2755 [GMT -4:00]
.
AV: Total Defense Anti-Virus Plus *Enabled/Updated* {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: Total Defense Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Wanda Thorne\Desktop\U3 System (H)\LaunchU3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\Notepad.exe
C:\Documents and Settings\Wanda Thorne\Application Data\U3\4255310C9352F8AD\LaunchPad.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Total Defense Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DFOybCkmuU275Q] c:\documents and settings\all users\application data\DFOybCkmuU275Q.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{5372b9a6-6e51-4f90-9b40-e0a3b8475c4e}\hphupd05.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Total Defense PC Tuneup Reminder] c:\program files\ca\ca pc tune-up\Reminder-PCTuneup.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [tYlpyTtkmGjGGNe.exe] c:\documents and settings\all users\application data\tYlpyTtkmGjGGNe.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {070DC617-E3B7-468B-A29C-D4E84FAE938C} - hxxp://utilities.pcpitstop.com/pctuneup2/controls/pctuneup.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1216218584468
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/sj/en/check/xp/qdiagh.cab?326
TCP: DhcpNameServer = 156.154.119.11 156.154.129.11
TCP: Interfaces\{418C09AB-1A03-4BF8-B1B4-F352C1484AC4} : DhcpNameServer = 156.154.119.11 156.154.129.11
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: UmxSbxExw.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-10-27 170064]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-1-23 36608]
S0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2011-9-6 123984]
S1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-10-26 83536]
S1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2011-9-6 63056]
S1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2011-7-28 116304]
S2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-9-22 222544]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-9-22 207920]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-6-8 17664]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-6-6 90112]
S2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2011-9-6 150608]
S2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2011-9-6 81488]
S2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
S2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-5-30 14616]
S2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
S2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-10-25 244960]
S3 12357;12357;c:\windows\system32\drivers\12357 [2011-8-28 9072]
S3 21743;21743;c:\windows\system32\drivers\21743 [2011-11-9 9072]
S3 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-9-29 1691480]
S3 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-4-26 75032]
S3 cpuz134;cpuz134;c:\docume~1\wandat~1\locals~1\temp\cpuz134\cpuz134_x32.sys [2011-11-9 20328]
S3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-9-6 331344]
S3 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]
S3 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
S3 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-6-6 2521880]
S3 WinExtManager;WinSock Extention Manager;c:\windows\system32\mdmcls32.exe [2010-9-22 3207184]
.
=============== Created Last 30 ================
.
2012-08-15 21:08:47 254976 ----a-w- c:\documents and settings\all users\application data\DFOybCkmuU275Q.exe
2012-08-15 20:29:01 348160 ---ha-w- c:\documents and settings\all users\application data\tYlpyTtkmGjGGNe.exe
.
==================== Find3M ====================
.
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:48:44.71 ===============


Next LOG:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2008 9:53:44 AM
System Uptime: 8/18/2012 4:06:36 PM (212 hours ago)
.
Motherboard: Acer | | EQ35M
Processor: Intel® Core™2 Quad CPU Q6600 @ 2.40GHz | CPU 1 | 2393/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 217 GiB total, 170.665 GiB free.
D: is FIXED (FAT32) - 10 GiB total, 9.796 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 145 GiB total, 108.437 GiB free.
G: is Removable
H: is CDROM (CDFS)
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&3D90042&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&3D90042&0
Service: i8042prt
.
==== System Restore Points ===================
.
RP1774: 8/6/2012 7:51:16 PM - System Checkpoint
RP1775: 8/7/2012 8:22:53 PM - System Checkpoint
RP1776: 8/8/2012 9:22:53 PM - System Checkpoint
RP1777: 8/9/2012 10:22:50 PM - System Checkpoint
RP1778: 8/10/2012 11:22:50 PM - System Checkpoint
RP1779: 8/12/2012 12:22:52 AM - System Checkpoint
RP1780: 8/13/2012 1:22:51 AM - System Checkpoint
RP1781: 8/14/2012 2:22:51 AM - System Checkpoint
RP1782: 8/15/2012 3:22:50 AM - System Checkpoint
.
==== Installed Programs ======================
.
.
Acer eLock Management
Acer Empowering Technology
Acer ePerformance Management
Acer eProtection
Acer eSettings Management
Acer LANScope Agent
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Adobe Acrobat 4.0
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader X (10.1.3)
AdolescentScheduler
America Online (Choose which version to remove)
American Greetings CreataCard
Anti-Virus Plus
AntiPhishing
AOL Coach Version 1.0(Build:20020929.1)
APH placeholder
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
Backup and Migration
Bonjour
BufferChm
Business Contact Manager for Outlook 2007 SP2
CA Anti-Virus Plus
commercial
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
DeepBurner v1.8.0.224
DesignPro 5.4 Limited Edition
Destinations
DeviceManagementQFolder
DigitImg
DNAMigrator
DocProc
DocProcQFolder
Doctor Alex
eSobi v2
eSupportQFolder
Family Tree Maker 2006
FoxTab PDF Creator
FullDPAppQFolder
GameHouse
Google Toolbar for Internet Explorer
Greeting Card Creator 32
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Hoyle Puzzle & Board Games 2010 (remove only)
HP Imaging Device Functions 7.0
HP Memories Disc
HP Photo and Imaging 2.3 - Scanjet 4600 Series
HP Photosmart Premier Software 6.5
HP Product Detection
HP Scanjet G4000 series 8.0
HP Software Update
HP Solution Center 7.0
hpG4000
hpg4000QFolder
HPProductAssistant
Infineon TPM Professional Package
InstantShareDevices
Intel® Matrix Storage Manager
Intel® PRO Network Connections 12.1.12.0
Intel® Active Management Technology
Intel® Management Engine Interface
iTunes
Java Auto Updater
Java™ 6 Update 30
LightScribe 1.4.142.1
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Works 7.0
Most Popular Solitaire Version 2.00
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OCA Client history tool install
OCR Software by I.R.I.S 8.0
OGA Notifier 2.0.0048.0
OLYMPUS CAMEDIA Master 2.5
overland
PanoStandAlone
Parental Controls
ParetoLogic FileCure
Personal Firewall
Photodex Presenter
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
PlayItAll media player 1.0.5
PowerDVD
ProShow Gold
PS7700
PSShortcuts
PSUsage
QFolder
QuickTime
Qurb
RandMap
RealPlayer
Realtek High Definition Audio Driver
Safari
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB913433)
ShareIns
Shockwave
SkinsHP1
SlideShow
SolutionCenter
Sonic_PrimoSDK
Spelling Dictionaries Support For Adobe Reader 9
StartNow Toolbar
The Print Shop
The Print Shop 22
Total Defense Internet Security Suite
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Driver Package - Intel (e1express) Net (12/04/2008 9.12.36.0)
Windows Driver Package - Intel (iaStor) SCSIAdapter (06/04/2009 8.9.0.1023)
Windows Driver Package - Intel Corporation (ialm) Display (01/13/2010 6.14.10.5218)
Windows Driver Package - Realtek Semiconductor Corp. HD Audio Driver (07/28/2010 5.10.0.6167)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Zuma's Revenge!
Zuma's Revenge!™ - Adventure
Zuma Deluxe
Zuma Deluxe 1.0
.
==== Event Viewer Messages From Past Week ========
.
8/20/2012 4:18:31 PM, error: Dhcp [1002] - The IP address lease 192.168.1.104 for the Network Card with network address 001E9030C238 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/20/2012 1:38:42 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
.
==== End Of File ===========================

BC AdBot (Login to Remove)

 


#2 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 August 2012 - 06:02 AM

THE GMER scan, which I am NOT confident I am able to put here, has ONLY one line in the results (scan ran for several hours last night). this line came up within a second of telling it to start the scan, and is the only line in it:

TYPE: ?
Name: C:\DOCUME~1\WANDAT~1\LOCALS~1\Temp\mbr.sys
Value: The system cannot find the file specifi..

And I can't even read the rest of that value line

At least I have THIS writeen down...now I will try to copy and paste and really get it to you.

#3 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 August 2012 - 06:12 AM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-28 07:07:12
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST325031 rev.3.AA
Running: gmer.exe; Driver: C:\DOCUME~1\WANDAT~1\LOCALS~1\Temp\ugdcraoc.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\WANDAT~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----

#4 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 August 2012 - 06:22 AM

***DEFOGGER LOG****


defogger_disable by jpshortstuff (23.02.10.1)
Log created at 07:15 on 28/08/2012 (Wanda Thorne)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

#5 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 28 August 2012 - 08:10 AM

link to original topic on this problem

http://www.bleepingcomputer.com/forums/topic465562.html

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 29 August 2012 - 05:54 AM

Hello, miz-h
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Watch Topic - button at the top bar of this topic.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.

Please give me some time to review your logs, I will be back shortly.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 29 August 2012 - 06:21 AM

Hi,

Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to <schrauber> before saving it to your desktop.

Link 1




--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix





Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Please post back with both logfiles.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 29 August 2012 - 09:15 AM

Tom, welcome to my computer heck... Wanted to point out to you that I AM an idiot when it comes to computers. I can follow directions...but only if the infected computer allows me to.

I've been downloading various links provided to me from the first Bleeper.. but not on the Infected Computer. I have to use my mother's laptop (running Windows 7) to read what you guys are telling me, then click on the various links and download them to a flash drive. Insert the flash drive into the Infected Computer (should we start referring to it as IC??) and somehow figure out how to jump thru the proper hoops to get the programs from the flash drive onto the desktop of the IC.... THEN seeing if the virus will allow the program to do its thing.

I DID just follow your step by step instructions for unhiding all files... and several more icons jumped onto my desktop when I had finished with that. Certainly not everything that's on the IC is now on the desktop, by a long shot. HOWEVER.. the IC can STILL not open the Internet Explorer. AND.. for years, I have been running the CA program for anti virus (sure, that worked well) and etc. for safety issues on the IC. I did disable the CA firewall several weeks ago when I first was infected. CA had wanted to block me using the rkill program, which I remembered from last year. So, I assume the firewall is still disabled. I do NOT have any reference to CA on the IC at this point. I still cannot take screenshots. I am fairly sure that the only part of the CA program I disabled was the firewall. I honestly have no idea what the rest of it is supposed to do. ALSO... know that this IC, this Acer desktop is running XP and I think IT came with some kind of security stuff built into it because it caused problems for me in the past. I disabled (years ago) at least part of it, but no idea which part.

So. I have not yet followed your instructions for downloading combofix, because I cannot get to the CA shield in order to disable the rest of its parts, as you instructed above. I will await your reply before proceding further. I am Wanda, by the way. I am trying to not panic over all this. I wish I could access the internet from the Infected Computer...... Part of your instructions also state that I MUST have access to the Internet.... And the Acer does NOT... The malware shut that down weeks ago and I cannot restore the connection....

Edited by miz-h, 29 August 2012 - 12:40 PM.


#9 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 30 August 2012 - 05:50 AM

Hi Wanda :)

Please go here

http://homeofficekb.ca.com/CIDocument.asp?SimpleUI=1&GUID=EFA2FC17D940413889E43F84A466B800&ExternalCallID=0&Ver=&AddBookmark=0&KDId=3153

and download the CA Uninstaller to completely uninstall the program. We will reinstall it later. Then please follow the rest of the instructions above :).

Edited by schrauber, 30 August 2012 - 05:51 AM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#10 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 August 2012 - 06:44 AM

TOM!!! I WILL follow this direction to uninstall the CA... BUT down in the many, many words of that next step, ComboFix will check to see if the Microsoft Windows Recovery Console is installed, and that i MUST have internet connection to update it, if it's not there.

I DO NOT HAVE INTERNET CONNECTION ON BAD COMPUTER!!! Should I give this a shot, in the hopes that it will run, or will this foul up the computer MORE????

I will do the CA step, but will await your reply before going further. I am stressed beyond belief.....

#11 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 30 August 2012 - 07:21 AM

**** UPDATE *** I saved the CA removal program to the flash drive, then went to broken computer and saved it to the desktop. When I double click the icon, up pops a window stating: "Support software was unable to launch. Please retry again from the web page. Please note you must not change the name." My choices at that point were to hit the red X or to say Ok. I did neither. I RIGHT clicked the icon and told it to run. Up pops a window stating: "A device attached to the system is not functioning."

I explored a bit more and on some window within the "my computer" list, I found that something was still marked "hidden". I removed that checkmark, because yesterday we told the blasted thing to show ALL hidden folders, so why was this thing still hidden.

Once I told it to apply that change to all folders...again...up on that list/menu to the left hand side that lists

My computer
My this
My that

(I do NOT know what to call this list... sorry.... anyhow, there was something called "Program Files". NOTE this is NOT the "all programs I get when I hit start...that one is still pretty much empty as it's been

Under the Program Files, I find now a reference to CA. I explore in it and there is no uninstall. I cannot uninstall from there, or from the flash drive. I need an Internet Explorere connection. I look further down in this Program Files list, and find Internet Explorer. I counldnt understand ANYthing under that, so I clicked on NONE of it. It did say that my LAN was connected. But maybe that was the virus talking. I could NOT take a screenshot of anything. I could not copy and paste anything.

YOUR TURN.....

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 30 August 2012 - 10:59 AM

Hi Wanda :)

We will download some tools and transfer it to the infected system.

Please go here to download and read about the tool unhide.exe

http://www.bleepingcomputer.com/forums/topic405109.html


Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

First, please run unhide.exe



Posted Image


  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    Posted Image


  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 miz-h

miz-h
  • Topic Starter

  • Members
  • 194 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 31 August 2012 - 03:24 PM

Family Emergency will keep me away for a few days, I'm afraid!!! Please do NOT close this case!!!!!! Talk to you soon, Tom!!!!!

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 02 September 2012 - 08:17 AM

No problem :)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:15 PM

Posted 08 September 2012 - 12:51 PM

Still with me? :)
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users