Reply
Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Virus thwarts even hijackthis d/l

Hello,
I'm not exactly sure what I'm dealing with but it is very frustrating. The machine is Running XP Home Edition, 32 bit, service pack 3, I.E. 8 128 bit - Restore points are turned off per a McAffe 'fix' that didn't work.

The first program to indicate something was wrong, was Windows Defender. It identified the problem as Patched-SYSfile.a but then it also found Vundo.ME (both trojans). I selected the remove option for both but according to its log, Defender 'allowed' them instead. Later McAffe reported Patched-SYSfile.a and Vundo.gen.W. not once but twice. Twice it claims to have repaired the sys.file and repaired plus removed the vundo but the virus(es) or 'something' are still alive and well.

The Windows Live Safety Scanner did not find any problems but, Automatic Updates, Defender updates and MS Malicous Software Removal Tool are able to run or be made to run. No matter which method I use (services.msc, control panel, etc.) to turn Automatic updates on - 'something' - shuts it back off. The MS Removal Tool can't even startat best I get to see the program options for a half second and 'poof' it's gone. Defender no longer reports any problems until I try to update then it, quote 'The program can't check for definition updates'.

Even McAffe can be shut down by 'something' at any time. None of the 'fixes' as described by the various error codes or virus information help. Just before this all happened Automatic Updates was able to d/l some very recent updates (out of band?) but 'something' will not let that one install. The only update that still works is McAffe but that's of little help since it see's nothing wrong. Oh yes, the weird pop-ups also happen. It acts just like the Vundo is described in what I have read but a Vundo on steroids with the ability to cloak itself.

Hijackthis will not d/l (as an executable or installer), so I can't post a hjt report.

Malwarebtyes set-up file came through ok but will not (or cannot, or is not allowed to) install!

HELP!

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Try this:  Rename MBAM to some other name such as scanner.exe and run it that way.. If that doesn't work we'll try something different..

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Thank you CajunTek but I can not find a file with the name mbam.exe in the program's folder or anywhere on the hard drive. Parts of the program did install but not mbam.exe.
I renamed the set-up file to scanner.exe and tried to install again but got the same error message as before:

 

Unable to execute file:
C:\programFiles\Malwarebytes'Anti-Malware\mbam.exe
Create process failed; code 2.
The system cannot find the file specified

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Update:
McAffe reported another virus @ 1/23/2010 4:21:24 PM:
Exploit-PDF.q.gen!stream

All I did was log-off from here and visit the comcast security page to read about Norton.

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Let's try another tool:

 

Download OTL, saving it to your desktop:

 

http://oldtimer.geekstogo.com/OTL.exe

 


• Close all open windows on the Task Bar. Click the OTL icon (for Vista, right click the icon and Run as Administrator) to start the program.
• In the lower right corner of the Top Panel, checkmark "LOP Check" and checkmark "Purity Check".
• Now click Run Scan at Top left and let the program run uninterrupted. The scan may take 5-10 minutes.
• Do not TOUCH your keyboard until the scan completes!
• It will produce two (2) logs on your desktop, one will pop up called OTL.txt; the other will be named Extras.txt.
• Exit Notepad. Remember where you've saved these 2 files as we will need both of them shortly!
• Exit OTL by clicking the X at top right.

 

Now go back and open those logs with notepad, post the results here.. Note that this can be long so it may take multiple postings to do this.

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

That went smooth enough... here's the OTL.txt:

 

OTL logfile created on: 1/23/2010 7:37:12 PM - Run 1
OTL by OldTimer - Version 3.1.26.0     Folder = C:\Documents and Settings\BT\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,023.00 Mb Total Physical Memory | 304.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 57.26 Gb Total Space | 32.44 Gb Free Space | 56.66% Space Free | Partition Type: NTFS
Drive D: | 38.28 Gb Total Space | 20.53 Gb Free Space | 53.63% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: BASEMENT3K1R494
Current User Name: BT
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=#E56717]========== Processes (SafeList) ==========[/color]
 
PRC - [2010/01/23 19:30:41 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BT\Desktop\OTL\OTL.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/21 15:36:12 | 00,305,440 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/02/18 13:44:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/04/13 19:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/03 18:20:12 | 00,866,584 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2006/05/16 22:15:10 | 00,071,288 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
PRC - [2005/10/21 18:13:40 | 00,163,840 | ---- | M] () -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
PRC - [2005/10/21 18:08:34 | 00,864,256 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
PRC - [2005/10/21 17:54:54 | 00,010,240 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
PRC - [2005/10/20 23:47:58 | 01,687,552 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
 
 
[color=#E56717]========== Modules (SafeList) ==========[/color]
 
MOD - [2099/01/01 12:00:00 | 00,095,744 | -HS- | M] () -- C:\WINDOWS\system32\gagekije.dll
MOD - [2099/01/01 12:00:00 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\system32\mulifadu.dll
MOD - [2010/01/23 19:30:41 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\BT\Desktop\OTL\OTL.exe
 
 
[color=#E56717]========== Win32 Services (SafeList) ==========[/color]
 
SRV - [2009/09/21 15:36:02 | 00,545,568 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/06/05 10:48:14 | 00,144,712 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/02/18 13:44:00 | 00,163,908 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006/11/03 18:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2005/10/21 18:09:44 | 00,229,376 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe -- (RoxLiveShare)
SRV - [2005/10/21 18:08:34 | 00,864,256 | ---- | M] (Sonic Solutions) [On_Demand | Running] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe -- (RoxMediaD:smileycool:
SRV - [2005/10/21 18:05:42 | 00,155,648 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe -- (RoxWatch)
SRV - [2005/10/21 15:58:02 | 00,045,056 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe -- (RoxUPnPRenderer)
SRV - [2005/10/21 15:57:20 | 00,405,504 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe -- (RoxUpnpServer)
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
 
 
[color=#E56717]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/02/18 13:44:00 | 06,308,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/04/13 13:46:22 | 00,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MPE.sys -- (MPE)
DRV - [2007/11/13 05:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2006/12/12 10:16:06 | 00,022,528 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emAudio.sys -- (emAudio)
DRV - [2005/12/21 08:14:52 | 00,100,957 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emDevice.sys -- (DCamUSBEMPIA)
DRV - [2005/12/21 08:14:52 | 00,005,245 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emFilter.sys -- (FiltUSBEMPIA)
DRV - [2005/12/21 08:14:52 | 00,004,493 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\emScan.sys -- (ScanUSBEMPIA)
DRV - [2005/10/21 16:34:30 | 00,050,176 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\RxFilter.sys -- (RxFilter)
DRV - [2005/10/20 10:05:00 | 00,311,680 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2005/10/20 10:05:00 | 00,119,168 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Pwd_2k.sys -- (pwd_2k)
DRV - [2005/10/20 10:05:00 | 00,027,264 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2005/10/20 10:05:00 | 00,027,136 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2005/09/23 22:18:32 | 00,171,520 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MarvinBus.sys -- (MarvinBus)
DRV - [2005/08/19 05:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2005/01/27 03:22:00 | 00,088,016 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2002/06/03 11:18:32 | 00,040,832 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\es1371mp.sys -- (es1371) Creative AudioPCI (ES1371,ES1373) (WDM)
DRV - [2002/04/11 13:47:52 | 00,011,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipfilter.sys -- (IPFilter)
DRV - [2001/08/18 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 07:11:42 | 00,029,696 | ---- | M] (CNet Technology, Inc.                                                    ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DM9PCI5.SYS -- (DM9102) DAVICOM 9102(A)
 
 
[color=#E56717]========== Standard Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== Internet Explorer ==========[/color]
 
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
 
 
O1 HOSTS File: ([2001/08/18 07:00:00 | 00,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe (HP)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mazutufer] C:\WINDOWS\System32\gagekije.DLL ()
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [POINTER]  File not found
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe (Sonic Solutions)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe ()
O4 - HKLM..\Run: [USB2Check] C:\WINDOWS\System32\PCLECoInst.DLL (Pinnacle Systems)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe File not found
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (Office Update Installation Engine)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118413334... (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} http://chat.msn.com/controls/msnchat45.cab (MSN Chat Control 4.5)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.64.150 68.87.75.198
O20 - AppInit_DLLs: (mulifadu.dll) - C:\WINDOWS\System32\mulifadu.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\gagekije.dll) - C:\WINDOWS\system32\gagekije.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: suyolipaw - {04119e6c-9a51-489c-87dd-df368242b1d9} - C:\WINDOWS\system32\gagekije.dll ()
O22 - SharedTaskScheduler: {04119e6c-9a51-489c-87dd-df368242b1d9} - kupuhivus - C:\WINDOWS\system32\gagekije.dll ()
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/31 20:45:27 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) -  File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
 
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2010/01/23 19:29:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BT\Desktop\OTL
[2010/01/23 16:13:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BT\Desktop\quickfix
[2010/01/23 15:34:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BT\Desktop\Mcaffe Tool
[2010/01/22 23:39:42 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/22 23:39:38 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/22 23:39:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/22 23:39:37 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/22 23:37:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BT\Desktop\MALWARE
[2010/01/22 23:26:15 | 00,000,000 | ---D | C] -- C:\hjt
[2010/01/22 19:20:51 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center
[2010/01/22 19:13:05 | 10,038,728 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\BT\Desktop\windows-kb890830-v3.3.exe
[2010/01/22 18:53:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/01/22 03:28:11 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\BT\Recent
[2010/01/19 20:53:39 | 00,000,000 | ---D | C] -- C:\e9b354251dc9644ce76a
[2010/01/13 19:59:36 | 00,471,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\aclayers.dll
[2010/01/08 08:40:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\BT\Desktop\permit
[2009/07/31 08:32:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/07/16 21:51:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/09/15 00:32:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
[2008/09/15 00:22:42 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/01/31 21:26:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2006/01/31 20:45:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]
 
[2099/01/01 12:00:00 | 00,095,744 | -HS- | M] () -- C:\WINDOWS\System32\yazemiya.dll
[2099/01/01 12:00:00 | 00,095,744 | -HS- | M] () -- C:\WINDOWS\System32\kulufegi.dll
[2099/01/01 12:00:00 | 00,095,744 | -HS- | M] () -- C:\WINDOWS\System32\gagekije.dll
[2099/01/01 12:00:00 | 00,061,952 | -HS- | M] () -- C:\WINDOWS\System32\ladilasa.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\yabutuwi.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\mulifadu.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\godojuje.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | M] () -- C:\WINDOWS\System32\fuledipu.dll
[2099/01/01 12:00:00 | 00,043,008 | -HS- | M] () -- C:\WINDOWS\System32\buwapite.dll
[2099/01/01 12:00:00 | 00,042,496 | -HS- | M] () -- C:\WINDOWS\System32\zijodope.dll
[2099/01/01 12:00:00 | 00,041,984 | -HS- | M] () -- C:\WINDOWS\System32\sejosobi.dll
[2099/01/01 12:00:00 | 00,038,400 | -HS- | M] () -- C:\WINDOWS\System32\rilotozi.dll
[2010/01/23 19:37:41 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\golebogu
[2010/01/23 19:36:44 | 06,029,312 | -H-- | M] () -- C:\Documents and Settings\BT\NTUSER.DAT
[2010/01/23 19:00:05 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\vebxmpqk.job
[2010/01/23 15:57:48 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/23 13:05:24 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/22 22:57:16 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/01/22 19:13:05 | 10,038,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\BT\Desktop\windows-kb890830-v3.3.exe
[2010/01/22 14:59:33 | 00,212,641 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/01/22 14:58:52 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/22 14:58:47 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/01/22 14:57:52 | 04,308,322 | -H-- | M] () -- C:\Documents and Settings\BT\Local Settings\Application Data\IconCache.db
[2010/01/22 00:02:56 | 00,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\atapi.sys
[2010/01/21 22:51:03 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/19 06:22:13 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\BT\ntuser.ini
[2010/01/16 06:20:36 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/01/14 11:12:06 | 00,181,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[2010/01/14 00:11:50 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/01/07 16:07:14 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/07 16:07:04 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/12/27 18:56:44 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\BT\My Documents\Return address labels.doc
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
 
[color=#E56717]========== Files Created - No Company Name ==========[/color]
 
[2099/01/01 12:00:00 | 00,095,744 | -HS- | C] () -- C:\WINDOWS\System32\yazemiya.dll
[2099/01/01 12:00:00 | 00,095,744 | -HS- | C] () -- C:\WINDOWS\System32\kulufegi.dll
[2099/01/01 12:00:00 | 00,095,744 | -HS- | C] () -- C:\WINDOWS\System32\gagekije.dll
[2099/01/01 12:00:00 | 00,061,952 | -HS- | C] () -- C:\WINDOWS\System32\ladilasa.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\yabutuwi.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\mulifadu.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\godojuje.dll
[2099/01/01 12:00:00 | 00,051,712 | -HS- | C] () -- C:\WINDOWS\System32\fuledipu.dll
[2099/01/01 12:00:00 | 00,043,008 | -HS- | C] () -- C:\WINDOWS\System32\buwapite.dll
[2099/01/01 12:00:00 | 00,042,496 | -HS- | C] () -- C:\WINDOWS\System32\zijodope.dll
[2099/01/01 12:00:00 | 00,041,984 | -HS- | C] () -- C:\WINDOWS\System32\sejosobi.dll
[2099/01/01 12:00:00 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\rilotozi.dll
[2099/01/01 12:00:00 | 00,006,456 | -H-- | C] () -- C:\WINDOWS\System32\golebogu
[2010/01/23 15:57:47 | 00,000,330 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/01/23 03:40:42 | 00,000,296 | ---- | C] () -- C:\WINDOWS\tasks\vebxmpqk.job
[2010/01/22 23:39:48 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/27 18:56:43 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\BT\My Documents\Return address labels.doc
[2009/06/06 12:42:33 | 00,014,756 | ---- | C] () -- C:\Documents and Settings\BT\Local Settings\Application Data\rx_audio.Cache
[2009/05/29 14:26:33 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\PsisDecd.dll
[2009/02/18 13:44:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/02/18 13:44:00 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/02/18 13:44:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/02/18 13:44:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/02/17 16:59:48 | 00,054,272 | ---- | C] () -- C:\Documents and Settings\BT\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/02/06 17:15:02 | 00,000,035 | ---- | C] () -- C:\WINDOWS\Ulead32.INI
[2006/02/01 23:11:36 | 00,000,002 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2006/02/01 01:47:00 | 00,184,620 | ---- | C] () -- C:\Documents and Settings\BT\Local Settings\Application Data\rx_image.Cache
[2006/02/01 01:35:08 | 00,000,053 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/02/01 01:05:59 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2006/02/01 00:32:17 | 00,044,491 | ---- | C] () -- C:\WINDOWS\System32\MiiIniFile13.ini
[2006/02/01 00:32:15 | 00,285,216 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsio.sys
[2006/02/01 00:32:15 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\drivers\Onsreged.sys
[2006/01/31 23:25:33 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/10/24 22:35:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/10/21 16:07:14 | 00,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
[2005/10/19 18:56:36 | 03,596,288 | R--- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/07/15 13:35:56 | 00,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/07/15 13:35:56 | 00,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2004/11/30 04:10:00 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\besched.dll
[2003/10/02 01:00:00 | 00,208,896 | ---- | C] () -- C:\WINDOWS\System32\lockout.dll
[2003/10/02 01:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\lockres.dll
[2002/04/11 13:47:52 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
 
[color=#E56717]========== LOP Check ==========[/color]
 
[2009/06/10 15:10:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Links 2003
[2009/05/29 14:14:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pinnacle
[2009/09/30 14:29:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/07/12 13:08:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/12/15 01:07:58 | 00,000,334 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/12/01 01:02:21 | 00,000,326 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2010/01/23 15:57:48 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/01/23 19:00:05 | 00,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\vebxmpqk.job
 
[color=#E56717]========== Purity Check ==========[/color]
 
 
< End of report >

I'll put the Extras.txt in the next post

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Extras.txt:

 

OTL Extras logfile created on: 1/23/2010 7:37:12 PM - Run 1
OTL by OldTimer - Version 3.1.26.0     Folder = C:\Documents and Settings\BT\Desktop\OTL
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1,023.00 Mb Total Physical Memory | 304.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 68.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 57.26 Gb Total Space | 32.44 Gb Free Space | 56.66% Space Free | Partition Type: NTFS
Drive D: | 38.28 Gb Total Space | 20.53 Gb Free Space | 53.63% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: BASEMENT3K1R494
Current User Name: BT
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
 
[color=#E56717]========== Extra Registry (SafeList) ==========[/color]
 
 
[color=#E56717]========== File Associations ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
 
[color=#E56717]========== Shell Spawning ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[color=#E56717]========== Security Center Settings ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:smileylaugh:isabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:smileylaugh:isabled:@xpsp2res.dll,-22008
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:smileylaugh:isabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:smileylaugh:isabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
 
[color=#E56717]========== Authorized Applications List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" = C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe:*:smileylaugh:isabled:test1 Module -- ()
"C:\WINDOWS\system32\dplaysvr.exe" = C:\WINDOWS\system32\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe" = C:\Program Files\Microsoft Games\Links 2003\LinksMMIII.exe:*:Enabled:Links 2003 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Links 2003\LinksMod\LinksMMIII.exe" = C:\Program Files\Microsoft Games\Links 2003\LinksMod\LinksMMIII.exe:*:Enabled:Links 2003 -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\dwwin.exe" = C:\WINDOWS\system32\dwwin.exe:*:Enabled:dwwin -- (Microsoft Corporation)
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" = C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe:*:Enabled:smileylaugh:rgToDsc -- (Sonic Solutions)
"C:\Program Files\iTunes\iTunesHelper.exe" = C:\Program Files\iTunes\iTunesHelper.exe:*:Enabled:iTunesHelper -- (Apple Inc.)
"C:\Program Files\Windows Defender\MsMpEng.exe" = C:\Program Files\Windows Defender\MsMpEng.exe:*:Enabled:MsMpEng -- (Microsoft Corporation)
"C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe" = C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe:*:Enabled:Roxio Upnp Service -- (Sonic Solutions)
"C:\Program Files\Windows Defender\MSASCui.exe" = C:\Program Files\Windows Defender\MSASCui.exe:*:Enabled:Windows Defender -- (Microsoft Corporation)
 
 
[color=#E56717]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1
"{345C90FB-FA10-11D5-9C2A-0080C85A0C2D}" = ABBYY FineReader OCR Engine for Microtek
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{868901EE-7807-4F89-A134-7C705D34F91F}" = Roxio Easy Media Creator 8 Suite
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{911B0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Word 2002
"{9870C7AE-7C6A-478D-9A75-35827382220F}" = Pinnacle Systems USB-2 Device Drivers
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}" = Microsoft Works 6.0
"{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Camera Window
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{AC76BA86-7AD7-5464-3428-7050000000A7}" = Adobe Reader 7.0.5 Language Support
"{B08D262E-D902-11D5-9C28-0080C85A0C2D}" = ScanWizard 5
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}" = Works Synchronization
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1212AE3-DBB9-4365-8473-F8ABC7B06BBB}" = Pinnacle Instant DVD Recorder
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon Utilities ZoomBrowser EX
"{C3A439E4-7303-491F-A678-CEA36A87D517}" = Microsoft Works Suite Add-in for Microsoft Word
"{C769A271-7E1C-48F9-B331-474600DD4C06}" = Microsoft Picture It! Photo 2002
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{DC19E750-988B-4005-A355-85EF66055EFE}" = Works Suite OS Pack
"{F0FC315A-7D1D-444F-BB96-A59B28179626}" = RemoteCapture Task 1.0.1
"{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = RAW Image Task
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Augusta National 2005" = Augusta National 2005
"hp deskjet 990c series" = hp deskjet 990c series (Remove only)
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{A29EA741-24F7-4C07-9B2C-06CB6491BE4A}" = Canon Camera Window for ZoomBrowser EX
"InstallShield_{F0FC315A-7D1D-444F-BB96-A59B28179626}" = Canon RemoteCapture Task for ZoomBrowser EX
"InstallShield_{FAF0DAD8-1EA7-4FEF-80E5-8D8D6EBD5A23}" = Canon RAW Image Task for ZoomBrowser EX
"Links 2003 1.0" = Microsoft Links 2003
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"Wagga Wagga Country Club" = Wagga Wagga Country Club
"WIC" = Windows Imaging Component
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2002Setup" = Microsoft Works 2002 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
 
[color=#E56717]========== Last 10 Event Log Errors ==========[/color]
 
[ Application Events ]
Error - 1/22/2010 4:23:29 PM | Computer Name = BASEMENT3K1R494 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services,
 P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
 P8 NIL, P9 NIL, P10 NIL.
 
Error - 1/22/2010 7:35:20 PM | Computer Name = BASEMENT3K1R494 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
 0.0.0.0, fault address 0x00000000.
 
Error - 1/22/2010 7:49:25 PM | Computer Name = BASEMENT3K1R494 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
 0.0.0.0, fault address 0x00000000.
 
Error - 1/22/2010 7:55:00 PM | Computer Name = BASEMENT3K1R494 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
 0.0.0.0, fault address 0x00000000.
 
Error - 1/22/2010 8:08:22 PM | Computer Name = BASEMENT3K1R494 | Source = Application Error | ID = 1000
Description = Faulting application mrt.exe, version 0.0.0.0, faulting module , version
 0.0.0.0, fault address 0x00000000.
 
Error - 1/23/2010 2:41:04 AM | Computer Name = BASEMENT3K1R494 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80070422, P2 updateservicemanager-_get_services,
 P3 fallbackcheck, P4 1.1.1593.0, P5 mpsigdwn.dll, P6 1.1.1593.0, P7 windows defender,
 P8 NIL, P9 NIL, P10 NIL.
 
Error - 1/23/2010 1:53:38 PM | Computer Name = BASEMENT3K1R494 | Source = Application Hang | ID = 1002
Description = Hanging application MSASCui.exe, version 1.1.1593.0, hang module hungapp,
 version 0.0.0.0, hang address 0x00000000.
 
Error - 1/23/2010 1:57:50 PM | Computer Name = BASEMENT3K1R494 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 1/23/2010 1:57:51 PM | Computer Name = BASEMENT3K1R494 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
Error - 1/23/2010 1:57:54 PM | Computer Name = BASEMENT3K1R494 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
 hungapp, version 0.0.0.0, hang address 0x00000000.
 
[ System Events ]
Error - 1/22/2010 7:57:05 PM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/22/2010 7:57:06 PM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 1:10:28 AM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 1:10:30 AM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 1:10:32 AM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 2:41:03 AM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 2:41:03 AM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 5:06:29 PM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 5:06:33 PM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
Error - 1/23/2010 5:06:38 PM | Computer Name = BASEMENT3K1R494 | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
 arguments ""  in order to run the server:  {E60687F7-01A1-40AA-86AC-DB1CBF673334}
 
 
< End of report >

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l


I don't know if these extra tibits will help or not - these in just last couple of days:

 

Files changed in the year 2099 looked familar but are not quite the same as McAffe reported:

 

For Patched-SYSFile.a:

C:\Windows\system32\drivers\atapi.sys
PROCESS:system

 

For Vundo.gen.w

C:\WINDOWS\system32\sebodawe.dll
PROCESS: \??\C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\yapigifa.dll
PROCESS: \??\C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\gitenayi.dll
PROCESS: C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\yedibufo.dll
PROCESS: C:\WINDOWS\Explorer.exe


For Exploit-PDF.q.gen!stream

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet files\Content.IE5\RNYPONYHA\(a whole bunch of numbers and letters ending with - [1].pdf)

PROCESS: C:\WINDOWS\system32\svchost.exe

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Yep, we've got some work to do, but unfortunately I have to work tonight. I should be back with you tomorrow afternoon about 4PM Central time.... Sorry..

 

Note JohnD or LoPhatPhuud may stop by, either can help you as well or better than I....

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Haven't attempted any repairs but I left the computer run. Did another full scan with Defender and it reported all is well. The McAffe log shows Vundo.gen.w again @ 1/24 3:45 AM (zimuvate.dll repaired and removed) and Patched-SYSFile.a @ 1/24 9:05 AM (just repaired - atapi.sys again).  
Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Download ComboFix© by sUBs from one of these locations:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

 

Familiarize yourself with ComboFix before running it:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

 

-Rename Combofix.exe to Combo-fix.exe

- Double click on Combo-Fix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.


Please post a new HijackThis log, the log from MBAM, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Sorry, bad news CajunTek,

This malware or whatever it is I have, seems to know other programs that can possibly threaten it.
When I tried to d/l Combofix.exe from bleepingcomputer the virus Artemis!B7B86A6C18E (a brand new one to me) popped up and blocked the d/l (several times). According to McAffe it directly attacked the combofix.exe in I.E. temporary files folder!
The forospyware link to Combofix.exe must have been changed or something - it takes me to a Forum written in Spanish.
But it may not matter - The how-to-use Combo-fix page has a warning not to use Combofix because there is something wrong with it.

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

That one is my bad.. (link was good yesterday)...

 

 

Can you download it to another computer and then copy it over from a floppy, cd or USB stick?

 

If not.. I have one other suggestion and I'll go ahead and post the instructions for that... Just in case.

 

Create the Kaspersky Rescue CD on a computer with internet access. Post the log in this thread. Be aware, that if the exploit Virut is found, the only recourse will be to reformat.

 

The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.
The download is in ISO format.
If you are not sure how to burn an image, please read 

 

http://http//www.bleepingcomputer.com/tutorials/tutorial114.html

 

If you need a FREE utility to burn the ISO image, download and use

 

http://http//www.imgburn.com/

 

Download the Kaspersky Rescue Disk:

 

http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/

 

 

[*]Burn the Kaspersky Rescue Disk ISO image to CD.
[*]Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
[*]Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
[*]Select your language (or wait a few seconds for the default English to load).
[*]Your screen may go blank for several minutes while the program loads.
[*]After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
[*]Click the Update tab to view the update progress.
[*]When the update has completed, click the Scan tab.
[*]Place a checkmark in all the available drives to scan the entire system.
[*]Click the "Security level" option, and select options.
[*]Make sure "All Files" is selected
[*]Under "Scan of compound files" ensure all options are selected and click the OK button.
[*]Click the "On threat detection" option
[*]Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".
[*]Click the "Start scan" button.
[*]When the scan has completed, click the Reports button.
[*]Click the Save button, and select your System drive (normally your C: drive)
[*]In the "File name" box, name the file krd-log and click the Save button.
[*]Click Close to close the Reports window.
[*]Click the Exit button to close the Rescue Disk program and confirm.
In the lower left of the screen, left-click the red [color=red]K[/color] button, select Logout, and confirm.
[*]The computer will shut down.
[*]Restart the computer and reboot normally.
[*]Please post the log (krd-log.txt) in your next reply.[/list]

 

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l


Thanks CajunTek,
I think I can but it may take me a little while. If the other machine here hasn't been infected too, it shouldn't take me too long but if it is I'll probably have to wait until sometime tomorrow and have a friend make the disks.
From what I remember atapi.sys is the file that controls the CD-ROM drive. I just hope that Patched-SYSFile.a thingy didn't mess that up too.
Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

You are correct about what atapi.sys does... and, I hope so too..
TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

What do you want first? The good news or the bad news?

 

The Good? ok

I remembered how to get into the BIOS and the CDRW-ROM seems fine. I was even able to d/l the recovery disk iso right to here and even make the disk but the disk didn't work. So, thinking it probably didn't work because it was made here - I made another disk on another machine that seems fine (new iso d/l too - no way I'm letting these two on the router at the same time)

 

The Bad?

I think bleepingcomputer.com took the Combofix program down - 404 is all I get now.

 

Making the recovery disk went fine again but my machine still won't boot from it.

Bleepingcomputer.com tutorial requires joining their site so I followed the instructions from here:

 

http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm

 

The freebie burner link there worked good too.

 

The Recovery Disk starts out ok but when it really gets going into the boot I get error messages (paraphrasing)

 

Medium error

 Then a bunch of SQUASHFS errors (something about fragments)

(then it ends with) Kernel panic - not syncing: Attempted to kill init!

(! - not me - the error wrote that)

 

Then the keyboard just blinks at me until I shut down. It was the same messages I got from the disk created on this machine. With all the malware running around in it I'm surprised it still works.

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Now that is a drag... I think you are the reformat and reinstall spot.. I would get data and move that to CD and reformat and reinstall windows. 

 

Note, before copying that data to another PC or back to this one I'd scan that CD with everything (MBAM, your AV, etc)

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Maybe... I was thinking the same thing but now I'm not so sure.

I copied the Malwarebytes directory over from the other machine via CDR and it works now. All that was missing was the exe file.
It ran fine and found and quarantined a whole bunch of infected objects (All Vundo).
After a reboot, items like Windows Update came back to life. The update files it d/l'd just before all heck broke loose were now able to be installed, so they're in now.


I thought I was on to something, so deleted all the Quarantined Vundo stuff and thought I'd better defrag to make sure they're gone.
Well, about ten seconds into the defrag, McAffe finds and repairs Patched-SYSFile.a again.
I'm starting to think McAffe is really fixing it but I can't figure out what's causing it.

The MS Malicous Software Removal Tool JAN 2010 is now able to run but found nothing infected.

Defender found nothing.

McAffe ditto.

Ran another full scan with Malwarebytes but it came up clean - no infected object found.

Ran OTL again and found one file dated 2099 so I just went into that directory and put that file into the recycle bin.
Re-ran OTL with the six radio button the right set to ALL - didn't see any 2099's but something seems to be wrong with the pagefile.

This is the first time back online and all the updates work but still got a goofy popup coming here.

Hijackthis even works now!

Think it might help if I post the .txt files from Malwarebytes and OTL also?


Here's the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:17 PM, on 1/25/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118413334...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - AppInit_DLLs: mulifadu.dll 
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 7965 bytes

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Could you redownload and run Combofix please?

 

Post a log from that if you can.

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

[ Edited ]

CajunTek,

No I can't and something is very fishy about that program.

I could not d/l it on either machine so I had a friend d/l it and email it to me from their workplace.
All that came through (thankfully) was a McAffe_EmailScanReport.txt file.


quote:


******************   McAfee VirusScan************************
******* Alert generated at: Tuesday, January 26, 2010 9:01:24 AM *********
*********************************************************************

McAfee VirusScan has detected a potential threat in this e-mail
sent by (name and address withheld per screen__name).

The following actions were attempted on each suspect part:

The attachment "ComboFix.exe" is infected with one or more Trojans: Artemis!A661984C601E.
This attachment has been quarantined.


We strongly recommend that you report this suspect activity.
to (name and address withheld by screen__name).


(end quote)

Both machines here are running McAffe and picked up Artemis!A661984C601E when attempting to download this file.

Why recommend a program like this? If it got through and someone runs it they'll be infected by a virus won't they?

 

(edit - correct spelling)

Message Edited by screen__name on 01-26-2010 06:23 AM
Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Combofix is a progam that uses some tools which can also be used by the bad guys as well.. So please as stated turn off your AV before trying to run Combofix.
TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

 Got 'er Dunnnnn - I hope it's good news. Kitty ate it?

 

 

 

ComboFix 10-01-26.01 - BT 01/26/2010  14:34:23.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1023.666 [GMT -5:00]
Running from: c:\documents and settings\BT\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\EventSystem.log
c:\windows\Tasks\vebxmpqk.job

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :smileysilly:
.
(((((((((((((((((((((((((   Files Created from 2009-12-26 to 2010-01-26  )))))))))))))))))))))))))))))))
.

2010-01-25 11:29 . 2010-01-25 11:29 -------- d-----w- c:\documents and settings\BT\Application Data\Malwarebytes
2010-01-25 10:40 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 10:39 . 2010-01-25 10:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 10:39 . 2010-01-25 11:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 10:39 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 08:03 . 2010-01-25 08:03 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-01-25 07:59 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\BT\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 07:59 . 2009-11-20 11:08 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-01-25 07:59 . 2010-01-25 07:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-25 07:57 . 2010-01-25 07:57 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-23 04:26 . 2010-01-25 18:04 -------- d-----w- C:\hjt
2010-01-23 00:20 . 2010-01-23 00:25 -------- d-----w- c:\program files\Windows Live Safety Center
2010-01-22 05:31 . 2010-01-23 21:21 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-20 01:53 . 2010-01-20 01:53 -------- d-----w- C:\e9b354251dc9644ce76a
2010-01-14 00:59 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 13:22 . 2001-08-18 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-25 13:22 . 2001-08-18 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.svs
2010-01-25 08:35 . 2009-09-30 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-25 08:02 . 2006-02-01 07:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-21 04:49 . 2008-01-25 14:55 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-14 16:12 . 2009-10-04 17:52 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-12-21 19:14 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 15:51 . 2001-08-18 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\kayufegi.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\najapofu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\yogegowi.dll.tmp
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-10 196608]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-10-21 163840]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-10-21 1687552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"nwiz"="nwiz.exe" [2009-02-18 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2006-2-1 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Roxio Shared\\SharedCOM8\\RoxWatchTray.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Drag to Disc\\DrgToDsc.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
.
Contents of the 'Scheduled Tasks' folder

2010-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-06 16:22]

2009-12-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-01-06 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-POINTER - point32.exe

 

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-26 14:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-01-26  14:43:43
ComboFix-quarantined-files.txt  2010-01-26 19:43

Pre-Run: 34,014,187,520 bytes free
Post-Run: 34,182,180,864 bytes free

- - End Of File - - BB4B274EBB63132A3DF52824B8860A9A

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Almost forgot about this one: 

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:47 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118413334...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 7698 bytes

Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

That looks much better. How are things behaving now?
TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

[ Edited ]

Malwarebytes' Anti-Malware 1.44
Database version: 3637
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/26/2010 4:48:26 PM
mbam-log-2010-01-26 (16-48-26).txt

Scan type: Quick Scan
Objects scanned: 119424
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

 

(Edit)

We must been posting at the same time. MUCH better, I've only seen one pop-up but it may been legit (on Comcast page). Even so I closed the window with task manager.

I was checking a few things (changed nothing) and I seem to have a damaged Active-X file and two that it's dependant on. I think it has something to do with Adobe - so was wondering if that Exploit might have had something to do with this. 

 

 

 

 

Message Edited by screen__name on 01-26-2010 02:04 PM
Security Expert
CajunTek
Posts: 20,976
Registered: ‎10-07-2003

Re: Virus thwarts even hijackthis d/l

Could be, I'd update Adobe as there was a security patch just recently due to an exploitable (and recently exploited) vulnerability...

 

 

I also suggest the following...

 

 


  1. Visit Windows Update:
    Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. This includes SP1 and SP2 if you use Windows XP. The first defense against infection is a properly patched Operating System.

    • Windows Update: Windows Update

    • If you have Word, Excel, Outlook or other Office programs installed. Consider using Microsoft Update instead of Windows Update. See the FAQ page here for more information:
      Microsoft Update

  2. Also, download and install Microsoft Baseline Analyzer.(Note that MBSA is only for Win 2000 SP3 or later and Office XP or later) When run, it will check system for security exposures, including missing updates. I suggest running it weekly. You can obtain more information here: MS Baseline Analyzer

  3. Adjust your security settings for ActiveX:
    Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
    Press 'default level', then OK
    Now press "Custom Level."

    • In the ActiveX controls and plug-ins section set these options:
      'Download signed ActiveX controls' - Prompt
      'Download unsigned ActiveX controls' - Disable
      'Initialize and script ActiveX controls not maked as safe'- Disable
      All other options accept the default

  4. For Windows XP2 SP2 users, check this link for additional steps you can take to secure Internet Explorer: Securing IE in Windows XP SP 2

  5. Also,for Sp2 SP2 and IE users, in IE, Tools -> Manage Add-ons will give you a list of all BHO's, Extensions, and ActiveX modules installed on your computer. You can update, enable or disable them.
  6. Download and install the following free programs


  7. Install Spyware Detection and Removal Programs:
    You may also want to consider installing one (or all) of the following:


  8. Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend a combination of Windows Defender and BOClean from Comodo.

  9. Reset System Restore
    If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.You should do this now

  10. Clean Temporary Files and Folders
    Download and install the disk cleanup utility called Cleanup!

    • Cleanup! will get rid of any malware which may be hiding in your temp folders (a common hiding place). You may also regain a massive amount of disk space.
      Here is a tutorial which describes its usage:
    • Run the disk cleanup utility called Cleanup! that you have already downloaded and installed
      Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
      Then reboot into normal mode to let it clean out the remaining files, I also like Ccleaner for the same purposes.

  11. If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check the following two Items.


  12. Rogue/Suspect Anti-Spyware
    Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing.

  13. Anti-Spyware Programs Compared
    Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work?

  14. Alternate Browser
    Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser another excellent choice is Opera. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.



For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out This faq at DSLreports

"In the end It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned." This is especially true of the rogue or suspect ones.. Sometimes these Eulas will even admit the badware is going to be installed.. You really should read these carefully.

Good luck, and thanks for coming to our forums for help with your security and malware issues.

TANSTAAFL!!



Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Thanks so very much CanjunTek.

 

The Malwarebytes and the Combofix seems to have taken care of most of it.
That Combo is scary to use without any protection on-line.
At one point the screen went black and the computer restarted but I had forgotten to rename it.
After renaming it worked fine.

 

The MS Baseline Security assessment: Strong Security

 

It seems to be running great now but there are still some things I'm not sure about.

 

That damaged Active-X file - I right clicked on it there was option to update - tried it and it worked but not sure if that is part of the security patch or not.
The software update was named Adobe DLM. It d/l'd the Adobe Update Manager but I already have it - seems ok and it repaired the the other two files as well.
I went to Adobe looking for the security patch but which one? There doesn't seem to be any for the Reader but there are several for the Flash PRO. afaik my Flash is just the freebie add-on version (I don't have Flash Player).

 

Windows Live safety scanner (delete or keep?)

 

References to a Synmantec Antivirus in the hijackthis log from an on-line virus scan I tried out. (Remove it from Registry?)

 

RE: the Security Settings for Active-X:
Under the Security tab, do I reset All Zones to their Default Level or just the Internet Zone?
Or am looking in the wrong place?
Each Zone has several Default resets to choose from.

 

And there are two security(?) issues this machine has had for a while and still does:
(might be just 'bugs')

 

After Boot or a Reboot, if I go into Network Connections sometimes the Local Area Connection will say Connected,Firewalled; other times just Connected (or Disconected, Firewalled or Disconnected if router is off)
If I right click on the icon, bring up the properties and simply hit the OK - the Firewalled portion will return.
When it says just Connected or Disconnected if I check the Security Center it states Firewall is on.
Weird - but does it mean anything?

 

Inprivate Filtering is always off when I first launch I.E.8 or close I.E.8 and reopen.
Is that normal?

 

Bronze Problem Solver
DoubleG
Posts: 1,696
Registered: ‎03-15-2004

Re: Virus thwarts even hijackthis d/l

screen_name

FYI Adobe DLM is a download manager for Adobe. You don't need it to update any of your Adobe programs it just allows you to resume a download should that download get interrupted and you can resume download where you left off. You can remove it thru add/remove program.

 

When you want to update your Adobe Reader which includes security fixes just open the program,go to help in the menu at the top and click check for updates. Adobe will check for any updates and security fixes you need.

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Thanks DoubleG,

I often misread things. I thought it had be d/l from their site. The Reader is ok (i guess) - no updates found when I checked.

 

There is no Adobe d/l Manager listed in my add/remove programs. Did something replace it like 'Adobe.com' or Adobe AIR?

But Not sure about Flash any more. Flash Player 10 Active X is there under add/remove but under 'size' it's blank.

 

Now this is really weird - that damaged Adobe (object) file is back along with the two it's dependant on.

Bronze Problem Solver
DoubleG
Posts: 1,696
Registered: ‎03-15-2004

Re: Virus thwarts even hijackthis d/l

Your flash is same as mine it's ok. You do not need adobe.com or adobe air. Air is a media player by adobe and adobe.com is tied to it. You can safely uninstall them. When you install new versions of flash or shockwave player adobe slips these programs into the download. When you install next time carefully read download boxes that comes up and you can catch and uncheck those boxes when they appear.
Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Thanks 2xG,

 

Re: damaged Active-X Adobe object

 

I tried updating it again.
Update was sucessful,
Checked Add/Remove and Adobe D/L Manager was there,
Emptied cashe and all that stuff and restarted I.E.,
Update still there,
Adobe D/L Manager still there,
Rebooted computer,
Update is gone,
D/L Manager is gone from Add/Remove (that's normal: http://kb2.adobe.com/cps/520/cpsid_52001.html ),
Damaged object is back as if it never left.

 

I think it's just a remnant Adobe doesn't use anymore. Adobe Updater probably replaced D/l manager.

 

Yeah, you're right about me not needing Adobe AIR or Acrobat Com. Did some checking over at Adobe and looked up AIR - they lost me at AIR is a ...
I already put Com in the unused desktop shortcuts folder. Can't find any short-cut to run Air (just as well).

Regular Contributor
Posts: 32
Registered: ‎02-27-2005

Re: Virus thwarts even hijackthis d/l

Sorry for the drift CT,

 

The machine has been running well but the Combofix log didn't exactly inspire me with confidence that Vundo was gone.

 

I made the switch to Comcast Norton to see if it could do any better.

The change over went smooth as glass, thanks to CHW308 And Queen_Evie instructions.

(off-topic notes)
After the MRT, according to taskman, the mcupdate_xxxxxxxxx was still running, so ended task, found and deleted it.
Also found some 'pre-fetch files' starting with 'mc' and looking very McAfee-like, so put them in recycle.
After install, all programs seem to be working fine with Norton so I deleted them pff's too.

 

Full Scan with Comcast Norton found and quarantined Trojan.Vundo!gen4

 

Pretty much right back where I started except I haven't seen any pop-ups and it's running much better.

So, I decided to go back to the beginning and go right down the list.

 

1. Comcast Norton full scan found and removed vundo.

 

2. Trend Micro House Call 7.1 reported no problems.

   Windows Live Safety Scan involved using pop-ups so did not run it.

 

3. Ad-Aware (8.1.4 free)
   Check marks sticky instructions after d/l are no longer valid.
   Full Scan took ~ 2 hour and 45 minutes.
   No Critals found, only a few cookies.
   Let AAW remove them.
   I'm not sure if this version of AAW is designed to work in Safe Mode or not.
   It took over 3 minutes just to load.
   10 minutes to scan < 300 objects?
   With 100K more to go, I aborted the scan.

 

4. Windows Defender
   Worked fine in Safe Mode - No unwanted or harmful software detected.
   Rebooted to normal and ran WD with Norton in 'silent' mode.
   No unwanted or harmful software detected.

 

5. Spybot
   After install but before program has run (at all) -
   It confused the heck out me.
   A window about Legal Stuff jumps out - scared me to death but hit OK anyhoos.
   Then several things all started happening at once.
   The update, the program a warning about Ad-Aware, and another asking if I want back-up the registry.
   Took care of them (I Hope) and went into Safe Mode.
   There it marked a registry entry and some cookies in red.
   None in any other color so they're gone and back to normal boot.
   Ran again with Norton in silent mode.
   No Immediate Threats Were Found

 

6. Ewido
    Ewido es morta?

 

7. Ran HJT - saved log (see below).

 

8. Ran Malwarebytes full scan, off-line (Norton silent)
   Found the following in a restore point - (a reboot was required to remove these per M:smileycool:
   C:\System Volume Information\_re... (Malware.Trace) -> Quarantined and deleted successfully.
   C:\System Volume Information\_rest..(Trojan.Agent) -> Quarantined and deleted successfully.
   C:\System Volume Information\_rest..(Malware.Trace) -> Quarantined and deleted successfully.
   C:\System Volume Information\_rest. (Trojan.Agent) -> Quarantined and deleted successfully.

   I turned off restore points, Ran full scan again and MB found no problems.

 

9. Rebooted and did a Norton Full Scan - found only 1 cookie. (still off-line to this point)

 

10.Ran Belarc
   First one is not security patch but not validated.
   Second is not either but BAA has 'Reinstall!' along side of it.


   (KB927978)

   MS06-071: Security update for Microsoft XML Core Services 4.0


   (KB954550-V5)

   Some Microsoft XPS features are not available in Windows Server 2003 and in Windows XP

 

 

I'm just not sure what the next step should be or if I messed up and need to go back.
I don't mind running without restore points for a while.

 

HJT LOG:

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:34 AM, on 1/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\BT\LOCALS~1\Temp\mcupdate_1264741636.exe /syncfin C:\DOCUME~1\BT\LOCALS~1\Temp\mcupdate_1264741636.ini /insfin
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?118413334...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\3.5.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 8342 bytes