nagrap2
-
Posts
15 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by nagrap2
-
-
Hi,
I tried the suggested rkill files, the one that worked was: WiNlOgOn.exe
Log:
--------------------------------------------------
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 01/02/2011 at 21:27:00.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
C:\Documents and Settings\All Users\Application Data\eAgKhCf15400\eAgKhCf15400.exe
Rkill completed on 01/02/2011 at 21:27:09.
------------------------------------------------------
I then ran Malwarebytes as instructed and was able to update to the latest version. Then when the application restarted, I get the following error:
"An error has occurred. Please report this error code to our support team. MBAM_ERROR_EXPANDING_VARIABLES(0, 453)"
Please suggest next steps.
-
Hi,
I have the System Tool virus.
I have followed the instructions and downloaded DeFogger, DDS, GMER but when I try to run them System Tool prevents them from running. I also cannot run Internet Explorer or Malwarebytes. I have tried renaming the exe files to something else, but they still do not execute.
Please advise....
Thanks in advance...
-
Hi,
My laptop is infected with the System Tool virus.
I have tried to startup in Safe mode with networking, I then ran Malwarebytes and it detected approx 20 infections. I removed those, then when I restarted in normal mode System Tool re-appeared.
Now I am unable to run any apps.
Please help !!
Thanks in advance...
-
Hi,
I have run Combofix and have pasted the log below. The trojan doesn't seem to be popping now, however, are you able to check from the below to see if it is completely removed?
ComboFix 10-11-17.04 - Owner 18/11/2010 20:11:29.1.2 - x86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: PCguard Anti-Virus *On-access scanning disabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *disabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\2E.tmp
C:\desktop.ini
c:\documents and settings\Owner\Local Settings\Application Data\147491517.exe
c:\documents and settings\Owner\Local Settings\Application Data\24443339.exe
c:\documents and settings\Owner\Local Settings\Application Data\710192911.exe
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
C:\kmd.exe
c:\program files\Altnet
c:\program files\Altnet\Download Manager\adm25.dll
c:\program files\Altnet\Download Manager\adm4.dll
c:\program files\Altnet\Download Manager\adm4005.exe
c:\program files\Altnet\Download Manager\admdata.dll
c:\program files\Altnet\Download Manager\admdloader.dll
c:\program files\Altnet\Download Manager\admfdi.dll
c:\program files\Altnet\Download Manager\admprog.dll
c:\program files\Altnet\Download Manager\asmend.exe
c:\program files\Altnet\Download Manager\dminfo3.cab
c:\program files\Altnet\Download Manager\dmsetup.bmp
c:\program files\Altnet\Download Manager\dmsetupbig.bmp
c:\program files\Altnet\Download Manager\jsinstall.cab
c:\program files\Altnet\Download Manager\jslegals.txt
c:\program files\Altnet\Download Manager\selectdir.txt
c:\program files\Altnet\Download Manager\selectdir1st.txt
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cab.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\docfile.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-1)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-2)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete-3)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\hqx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\html.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-1)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete-2)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mso.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\na.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\nelf.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\tar.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab (incomplete)
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\Mozilla Firefox\plugins\NPNd2fn.dll
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL
c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\0091FED1
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\windows\Readme.txt
c:\windows\system\Color
c:\windows\system32\hadl.dll
c:\windows\system32\iexplore.exe
c:\windows\system32\system
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_FCI
-------\Legacy_SYSLIBRARY
((((((((((((((((((((((((( Files Created from 2010-10-18 to 2010-11-18 )))))))))))))))))))))))))))))))
.
2010-11-16 22:08 . 2010-11-16 22:08 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-11-16 21:09 . 2010-11-16 21:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-16 21:04 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 21:04 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 21:04 . 2010-11-16 23:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-16 20:45 . 2010-11-16 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-11-16 20:43 . 2010-11-16 20:43 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-15 17:33 . 2010-11-15 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-10-31 16:55 . 2010-10-31 16:56 -------- d-----w- c:\documents and settings\Owner\Application Data\vShare
2010-10-31 16:54 . 2010-10-31 16:55 -------- d-----w- c:\program files\vShare
2010-10-31 16:48 . 2010-10-31 16:48 -------- d-----w- c:\program files\Veetle
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 12:23 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2003-01-02 19:10 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-01-02 19:10 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-01-02 19:10 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-02-06 17:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2003-01-02 19:10 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2003-01-02 19:10 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2003-01-01 15:37 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2003-01-02 19:11 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2003-01-02 19:11 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2003-01-02 19:10 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2003-01-01 15:12 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-14 20:22 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2003-01-02 19:10 617472 ----a-w- c:\windows\system32\comctl32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="nview.dll" [2003-03-04 831557]
"kdx"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-06-27 1449984]
"Podmailing"="c:\program files\Podmailing\Podmailing.exe" [2008-06-06 173056]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-22 26101032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-02-17 50176]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus Photo RX420 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-22 180269]
"EPSON Stylus Photo RX420 Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"nwiz"="nwiz.exe" [2003-03-04 323584]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-04 4595712]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-12 114688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-12-20 278528]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"4oD"="c:\program files\Kontiki\KHost.exe" [2006-11-08 1040832]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-09-26 35328]
"Nokia FastStart"="c:\program files\Nokia\Nokia Music\NokiaMusic.exe" [2008-12-03 2372840]
"EPSON Stylus Photo RX420 Series (Copy 2)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
blueyonder Instant Support Tool.lnk - c:\program files\blueyonder IST\bin\matcli.exe [2003-10-19 204800]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [22/09/2008 16:58 693512]
R2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\Virgin Broadband\PCguard\SafeConnect\bin\SanaAgent.exe [14/11/2008 18:28 4937752]
R2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [28/02/2004 16:05 195396]
R3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectDriver.sys [14/11/2008 18:28 161304]
R3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectFilter.sys [14/11/2008 18:28 29720]
R3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys [14/11/2008 18:28 27376]
S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\Google\Update\GoogleUpdate.exe [09/03/2010 19:14 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [16/11/2010 21:04 38224]
S3 Normandy;Normandy SR2; [x]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [22/09/2008 16:58 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\Virgin Broadband\PCguard\RpsSecurityAwareR.exe [27/05/2009 13:10 170736]
.
Contents of the 'Scheduled Tasks' folder
2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]
2010-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-09 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://vshare.toolbarhome.com/?hp=df&t=1
uDefault_Search_URL = hxxp://srch-qgb8.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uInternet Connection Wizard,ShellNext = iexplore
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\q7l2yjno.default\
FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{F48BDBDD-846B-456D-A78D-F9F6100C7D57} - (no file)
HKLM-Run-Msdmxm - c:\windows\system32\msdmxm.exe
HKLM-Run-EvtHtm - c:\windows\system32\evthtm.exe
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
HKLM-Run-ATIPTA - c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
AddRemove-AltnetDM - c:\program files\Altnet\Download Manager\AltnetUninstall.exe
AddRemove-EvtHtm - c:\windows\system32\evthtm.exe
AddRemove-Msdmxm - c:\windows\system32\Msdmxm.exe
AddRemove-Yazzle1461Oin - c:\program files\Common Files\Yazzle1461OinUninstaller.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 20:29
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Virgin Broadband\PCguard\Fws.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\ALCXMNTR.EXE
c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
c:\program files\Common Files\Teleca Shared\CapabilityManager.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\program files\blueyonder IST\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-11-18 20:51:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-18 20:51
Pre-Run: 61,329,727,488 bytes free
Post-Run: 66,791,022,592 bytes free
- - End Of File - - 4FA321475AC89BCCF12AFE1852AE3395
-
Hi,
I ran ATF Cleaner as requested and it cleared approx 500MB.
I ran Goored Fix
I ran TDSSKiller and it said no infections found. When I try to click on the Report button to download the log, Security Tool kicks in and prevents Notepad from starting.
Basically whenever I try to run any executable it is prevented by Security Tool. The way I got around running the above was to rename each executable to "iexplore.exe" as explorer seems to startup fine.
What can we try next?
-
Attaching OTListIt.txt as when I try to paste it says it's too long.
-
Hi,
I have tried to scan using Malwarebytes in safe boot mode and it doesn't detect any trojans. I then start in normal mode and try to scan and Malwarebytes doesn't complete as I get the blue screen of death.
I then tried to follow the guide given here (http://forums.malwarebytes.org/index.php?showtopic=9573) but the Security Tool blocks me from running the DDS.scr file in normal mode, so restarted in Safe Boot mode.
I was unable to run the GMER Rootkit Scanner as I get a windows error saying program has encountered a problem and needs to close...
I then tried to follow the instructions given at the bottom of this (http://forums.malwarebytes.org/index.php?showtopic=67755&hl=Security+Tool) post to run OTL.exe and RookitUnhooker.
Unfortunately RootkitUnhooker did not run as I got an error saying "Error loading/opening driver".
I am running Windows XP.
Please let me know if you require me to run any other tools?
DDS.txt:
DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by Administrator at 0:18:46.51 on 17/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.368 [GMT 0:00]
AV: PCguard Anti-Virus *On-access scanning enabled* (Updated) {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: PCguard Firewall *enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
mSearchAssistant =
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PopKill Class: {3c060ea2-e6a9-4e49-a530-d4657b8c449a} - c:\program files\virgin broadband\pcguard\pkR.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420"
mRun: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [EPSON Stylus Photo RX420 Series (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 1)" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup
mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRun: [Nokia FastStart] "c:\program files\nokia\nokia music\NokiaMusic.exe" /command:faststart
mRun: [EPSON Stylus Photo RX420 Series (Copy 2)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P40 "EPSON Stylus Photo RX420 Series (Copy 2)" /O5 "LPT1:" /M "Stylus Photo RX420"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [broadbandadvisor.exe] "c:\program files\virgin broadband\advisor\Broadbandadvisor.exe" /AUTORUN
mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueyo~1.lnk - c:\program files\blueyonder ist\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxp://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133824864851
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37913.5428703704
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BD393C14-72AD-4790-A095-76522973D6B8} - hxxp://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab41227.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/CheckersZPA.cab40641.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
============= SERVICES / DRIVERS ===============
S1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2010-1-11 179984]
S2 gupdate1cabfbcb3e7fcc4;Google Update Service (gupdate1cabfbcb3e7fcc4);c:\program files\google\update\GoogleUpdate.exe [2010-3-9 133104]
S2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-9-22 693512]
S2 RadialpointSafeConnectAgent;Virgin Broadband PCguard SafeConnectAgent;c:\program files\virgin broadband\pcguard\safeconnect\bin\SanaAgent.exe [2008-11-14 4937752]
S2 ScanDrv;ScanDrv;c:\windows\system32\drivers\scandrv.sys [2004-2-28 195396]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-11-16 38224]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-9-22 910600]
S3 Radialpoint Security Services;Virgin Broadband PCguard;c:\program files\virgin broadband\pcguard\RpsSecurityAwareR.exe [2009-5-27 170736]
S3 RadialpointSafeConnectDriver;RadialpointSafeConnectDriver;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectDriver.sys [2008-11-14 161304]
S3 RadialpointSafeConnectFilter;RadialpointSafeConnectFilter;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectFilter.sys [2008-11-14 29720]
S3 RadialpointSafeConnectShim;RadialpointSafeConnectShim;c:\program files\virgin broadband\pcguard\safeconnect\driver\platform_xp\SafeConnectShim.sys [2008-11-14 27376]
=============== Created Last 30 ================
2010-11-16 23:56:58 69120 ----a-w- c:\windows\system32\iexplore.exe
2010-11-16 21:09:09 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-11-16 21:04:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-16 21:04:19 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-16 21:04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-16 20:45:36 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-16 20:45:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-11-16 20:43:03 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2010-11-15 17:33:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-10-31 16:54:59 -------- d-----w- c:\program files\vShare
2010-10-31 16:48:20 -------- d-----w- c:\program files\Veetle
==================== Find3M ====================
2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
============= FINISH: 0:20:33.51 ===============
-
I did some further reading and managed to fix the issue. Under internet options --> connections --> LAN settings the "use a proxy server for your LAN" option was checked so I unchecked and checked "automatically detect settings". All seems to be working fine now !!
Thanks for your help, please can you close this topic now.
-
Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Do not reboot your computer after running rkill as the malware programs will start again.
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
Do not reboot your computer after running rkill as the malware programs will start again.
Next:
Please download Malwarebytes' Anti-Malware to your desktop.
- Double-click mbam-setup.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select Perform quick scan, then click Scan.
- When the scan is complete, click OK, then Show Results to view the results.
- Then click Remove Selected .
- When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
- Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also please describe how your computer behaves at the moment.
Please don't attach the scans / logs, use "copy/paste". .
Hi,
Since I could startup Firefox web browser I tried renaming the Malwarebytes exe to firefox.exe and managed to get it to startup.
I ran a scan and cleared the 5 items that were flagged as being trojans.
So now the pc seems to be clean of the trojan however I am now facing the following issue:
When I open up either internet explorer or firefox I am unable to load up any http web pages, however, I am able to view https webpages. This issue seems to have come about after removing the files malwarebytes flagged as being trojan files.
Please advise.
- Double-click mbam-setup.exe and follow the prompts to install the program.
-
Hi,
Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E
I have tried the following so far but no luck:
1) Tried renaming the exe to have an extension of .com bbut still didn't startup
2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared.
What should I try next?
Thanks in advance,
Nagra
-
Hi,
Looks like I have a trojan which is preventing me from starting up Malwarebytes. I get a fake warning popping saying Threat: Win32/Nuqel.E
I have tried the following so far but no luck:
1) Tried renaming the exe to have an extension of .com bbut still didn't startup
2) Tried running in Safeboot mode and Malwarebutes started and ran scan, also removed all infections, but then when running in non-safeboot mode infections re-appeared.
What should I try next?
Thanks in advance,
Nagra
-
Hi,
I have completed the above, but when I try removing the infected files I get the "Regedit has been disabled by the Administrator" message. I'm sure others have experienced this issue, is someone able to point me to the relevant post?
-
Hi,
I have a trojan and have run malware bytes quick scan. When I go to remove the infected files I get the following message, please advise on how I re-enable regedit:
"Regedit has been disabled by the Administrator"
Thanks in advance...
-
Hi,
I have the XP Antispyware 2010 trojan on my other laptop. I have tried to install Anti-Malware but it does not startup when I try to click the setup file. I have tried followng various guides on the web that recommend renaming the exe to something else and then trying to run but it does not work.
I have tried following the removing manually instructions but find I have different files to what the guides tell me.
I noticed there is a av.exe running.
Please can someone help !!!
Much appreciated.
System Tool infecting Windows XP
in Resolved Malware Removal Logs
Posted
Hi,
It doesn't let me load anything up now. Once the laptop startsup after about 5 secs, the System Tool dialogue opens and doesn't then let me open anything not even my computer.